flutter/SECURITY.md

# Security Policy

## Supported Versions

We commit to publishing security updates for the version of Flutter currently
on the `stable` branch.

## Reporting a Vulnerability

To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue,
the steps you took to create the issue, affected versions, and if known, mitigations for the issue.

We should reply within three working days, probably much sooner.

We use GitHub's security advisory feature to track open security issues. You should expect
a close collaboration as we work to resolve the issue you have reported. Please reach out to
`security@flutter.dev` again if you do not receive prompt attention and regular updates.

You may also reach out to the team via our public [Discord](https://github.com/flutter/flutter/wiki/Chat) chat channels; however, please make
sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about
vulnerabilities in public if that could put users at risk.

## Process

This section describes the process used by the Flutter team when handling vulnerability reports.

Vulnerability reports are received via the `security@flutter.dev` e-mail alias. Certain team members
who have been designated the "vulnerability management team" receive these e-mails. When receiving
such an e-mail, they will:

0. Reply to the e-mail acknowledging its receipt, cc'ing `security@flutter.dev` so that the other
   members of the team are aware that they are handling the issue.
1. Create a new [security advisory](https://github.com/flutter/flutter/security/advisories/new).
   One must be one of the repo admins to do this. Vulnerability management team members who are not
   also a repo admin will reach out to the repo admins until they find one who can create the advisory.
   The repo admins who are also vulnerability management team members are @Hixie, @tvolkert, and @pcsosinski.
2. [Add the reporter](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)
   to the security advisory so that they can get updates.
3. Reopen https://github.com/flutter/flutter/issues/72555 to ensure that security vulnerabilities
   will be checked during critical triage.
4. Inform the relevant team lead, adding them to the security advisory.
5. If the security issue does not yet have a CVE number, they will, as a Googler, see go/cve-request to
   establish one.

As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved
and whether they would like to be credited. For credit, the GitHub security advisory UI has a field
that allows contributors to be credited.

When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory.

Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are
not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible.

For more information on security advisories, see [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project).

If team members need additional help from Google, as a Googler, they can see go/vuln.
Create SECURITY.md (#72557) 2021-01-12 00:37:42 +00:00			`# Security Policy`

			`## Supported Versions`

			`We commit to publishing security updates for the version of Flutter currently`
			on the `stable` branch.

			`## Reporting a Vulnerability`

			To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue,
			`the steps you took to create the issue, affected versions, and if known, mitigations for the issue.`

			`We should reply within three working days, probably much sooner.`

			`We use GitHub's security advisory feature to track open security issues. You should expect`
Fix typo resolved->reported in security.md (#73760) 2021-01-12 03:19:02 +00:00			`a close collaboration as we work to resolve the issue you have reported. Please reach out to`
Create SECURITY.md (#72557) 2021-01-12 00:37:42 +00:00			`security@flutter.dev` again if you do not receive prompt attention and regular updates.

Fix link in SECURITY.md (#84877) 2021-06-30 23:51:06 +00:00			`You may also reach out to the team via our public [Discord](https://github.com/flutter/flutter/wiki/Chat) chat channels; however, please make`
Create SECURITY.md (#72557) 2021-01-12 00:37:42 +00:00			sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about
			`vulnerabilities in public if that could put users at risk.`

			`## Process`

			`This section describes the process used by the Flutter team when handling vulnerability reports.`

			Vulnerability reports are received via the `security@flutter.dev` e-mail alias. Certain team members
			`who have been designated the "vulnerability management team" receive these e-mails. When receiving`
			`such an e-mail, they will:`

			0. Reply to the e-mail acknowledging its receipt, cc'ing `security@flutter.dev` so that the other
			`members of the team are aware that they are handling the issue.`
			`1. Create a new [security advisory](https://github.com/flutter/flutter/security/advisories/new).`
			`One must be one of the repo admins to do this. Vulnerability management team members who are not`
			`also a repo admin will reach out to the repo admins until they find one who can create the advisory.`
			`The repo admins who are also vulnerability management team members are @Hixie, @tvolkert, and @pcsosinski.`
			`2. [Add the reporter](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)`
			`to the security advisory so that they can get updates.`
			`3. Reopen https://github.com/flutter/flutter/issues/72555 to ensure that security vulnerabilities`
			`will be checked during critical triage.`
			`4. Inform the relevant team lead, adding them to the security advisory.`
			`5. If the security issue does not yet have a CVE number, they will, as a Googler, see go/cve-request to`
			`establish one.`

			`As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved`
			`and whether they would like to be credited. For credit, the GitHub security advisory UI has a field`
			`that allows contributors to be credited.`

			`When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory.`

			`Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are`
			`not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible.`

			`For more information on security advisories, see [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project).`

			`If team members need additional help from Google, as a Googler, they can see go/vuln.`