If you believe you have found a security issue in Edgelet:

1. Do not open a public GitHub issue for exploitable vulnerabilities.
2. Email security@datasance.com with:
   • A description of the issue and impact
   • Steps to reproduce (proof-of-concept if available)
   • Affected version / commit and platform (linux embed, docker/podman, desktop)
3. We aim to acknowledge reports within 5 business days and provide a remediation timeline when confirmed.

For non-security bugs, use the public issue tracker or CONTRIBUTING.md.

Before release tags, run:

make security-code   # gosec on ./cmd ./internal ./pkg
make vulncheck       # govulncheck@v1.1.4 + go mod verify

• gosec is intentionally not in golangci-lint; static analysis is scoped to edgelet module trees.
• govulncheck scans ./cmd/... ./internal/... ./pkg/.... Goal: zero vulnerabilities affecting call paths.
• CI: .github/workflows/govulncheck.yml (on go.sum push, daily cron, manual dispatch).

• Go toolchain: track Go security releases; bump go in go.mod and CI pins promptly.
• Modules: go get -u / Dependabot PRs reviewed against make vulncheck.
• Embedded runtime pins (containerd, crun, CNI).

No documented exceptions as of the Moby SDK migration. make vulncheck must pass with zero findings affecting edgelet call paths.

Previously accepted GO-2026-4887 / GO-2026-4883 (legacy github.com/docker/docker client SDK) were removed after migrating to github.com/moby/moby/client@v0.4.1.

New exceptions require:

1. Entry in this table (GO ID, CVE if any, component, rationale, fix timeline).
2. Matching ID in scripts/vulncheck.sh ALLOWED_VULNS.
3. Brief note under Known limitations in CHANGELOG.md at next release (15-4).

Undocumented findings fail make vulncheck and CI.