Go CNA Policy

Back to Go Vulnerability Management


The Go CNA is a CVE Numbering Authority, which issues CVE IDs and publishes CVE Records for public vulnerabilities in the Go ecosystem. It is a sub-CNA of the Google CNA.


The Go CNA covers vulnerabilities in the Go project (the Go standard library and sub-repositories) and public vulnerabilities in importable Go modules that are not already covered by another CNA.

This scope is intended to explicitly exclude vulnerabilities in applications or packages written in Go that are not importable (for example, anything in package main). See go.dev/security/vuln/database#excluded-reports for more information on excluded reports.

To report potential new vulnerabilities in the Go project, refer to go.dev/security/policy.

Requesting a CVE ID for a public vulnerability

IMPORTANT: The form linked below creates a public issue on the issue tracker, and therefore must not be used to report undisclosed vulnerabilities in Go (see our security policy for instructions on reporting undisclosed issues).

To request a CVE ID for an existing PUBLIC vulnerability in the Go ecosystem, submit a request via this form.

A vulnerability is considered public if it has already been disclosed publicly, or it exists in a package you maintain, and you are ready to disclose it publicly.