mirror of
https://github.com/flutter/flutter
synced 2024-10-13 11:42:54 +00:00
57 lines
3.3 KiB
Markdown
57 lines
3.3 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
We commit to publishing security updates for the version of Flutter currently
|
|
on the `stable` branch.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue,
|
|
the steps you took to create the issue, affected versions, and if known, mitigations for the issue.
|
|
|
|
We should reply within three working days, probably much sooner.
|
|
|
|
We use GitHub's security advisory feature to track open security issues. You should expect
|
|
a close collaboration as we work to resolve the issue you have reported. Please reach out to
|
|
`security@flutter.dev` again if you do not receive prompt attention and regular updates.
|
|
|
|
You may also reach out to the team via our public [Discord] chat channels; however, please make
|
|
sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about
|
|
vulnerabilities in public if that could put users at risk.
|
|
|
|
## Process
|
|
|
|
This section describes the process used by the Flutter team when handling vulnerability reports.
|
|
|
|
Vulnerability reports are received via the `security@flutter.dev` e-mail alias. Certain team members
|
|
who have been designated the "vulnerability management team" receive these e-mails. When receiving
|
|
such an e-mail, they will:
|
|
|
|
0. Reply to the e-mail acknowledging its receipt, cc'ing `security@flutter.dev` so that the other
|
|
members of the team are aware that they are handling the issue.
|
|
1. Create a new [security advisory](https://github.com/flutter/flutter/security/advisories/new).
|
|
One must be one of the repo admins to do this. Vulnerability management team members who are not
|
|
also a repo admin will reach out to the repo admins until they find one who can create the advisory.
|
|
The repo admins who are also vulnerability management team members are @Hixie, @tvolkert, and @pcsosinski.
|
|
2. [Add the reporter](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)
|
|
to the security advisory so that they can get updates.
|
|
3. Reopen https://github.com/flutter/flutter/issues/72555 to ensure that security vulnerabilities
|
|
will be checked during critical triage.
|
|
4. Inform the relevant team lead, adding them to the security advisory.
|
|
5. If the security issue does not yet have a CVE number, they will, as a Googler, see go/cve-request to
|
|
establish one.
|
|
|
|
As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved
|
|
and whether they would like to be credited. For credit, the GitHub security advisory UI has a field
|
|
that allows contributors to be credited.
|
|
|
|
When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory.
|
|
|
|
Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are
|
|
not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible.
|
|
|
|
For more information on security advisories, see [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project).
|
|
|
|
If team members need additional help from Google, as a Googler, they can see go/vuln.
|