- Notifications
You must be signed in to change notification settings - Fork9.7k
Security: flutter/plugins
Security
SECURITY.md
We commit to publishing security updates for the version of Flutter currentlyon thestable branch.
We treat security reports equivalent to a P0 priority level. This means that we attempt to fix them as quickly as possible.Depending on our release schedule, we will release either a new beta or a stable hotfix for any major security reportfound in the most recent stable version of our SDK, whichever is most expedient.
Any vulnerability reported for any Flutter websites like flutter.dev does not require a release and will befixed in the website itself.
To report a security issue, please usehttps://g.co/vulnz.We use g.co/vulnz for our intake, and do coordination and disclosure here onGitHub (including using GitHub Security Advisory). The Google Security Team willrespond within 5 working days of your report on g.co/vulnz.
You may also reach out to the team via our publicDiscord chatchannels; however, please also make sure to make vulnerability reports to g.co/vulnz, and avoid revealing information aboutvulnerabilities in public if that could put users at risk.
You should expect a close collaboration as we work to resolve the security vulnerability you have reported. Please reach out tosecurity@flutter.devonly if you do not receive a response to a g.co/vulnz report within the above mentioned 5 working days.
If you believe that an existing GitHub issue is security-related, we ask that you both report the issue to g.co/vulnz and send anemail tosecurity@flutter.dev. The email should include the GitHub issue ID and a shortdescription of why it should be handled according to this security policy.
Security reports are not tracked explicitly in the GitHub issue database.We use GitHub's security advisory feature to track open security reports.
This section describes the process used by the Flutter team when handling vulnerability reports.
Vulnerabilities reported to g.co/vulnz are triaged by the Google Security Team, and routed tothe Flutter team. Certain team members who have been designated the "vulnerability management team"receive these reports. When receiving such a report, one of the vulnerability management team members will:
- Work with the Google Security Team to triage the report to evaluate its impact and if it is a security vulnerability.
- Collaborate with the appropriate Flutter team lead to ensure that an owner is assigned to the report.The owner will drive it through the fix and release process.
- Work with the team lead and product manager to determine if this security report requires a security advisory.
- Create a newsecurity advisory if an advisory is required.One must be the repo admin to do this. Vulnerability management team members who are not also a repo admin will reach out to the repo admins until they find one who can create the advisory. The repo admins who are also vulnerability management team members are @jtmcdole and @Piinks.
- Add thevulnerability reporter, relevant team lead and fix owner to the security advisory so that they can get updates.
- If the security issue does not yet have a CVE number, as a Googler, request one from go/cve-request. Every security advisory will have a CVE number.
- ReopenIssue 72555 to ensure that security vulnerabilitieswill be checked during critical triage.
- Work with the release and PR team to coordinate the publication of the security advisory.
Non-Google teams that use or contribute to Flutter are also welcome to include Flutter within the scope of their bug bounty programs.To have your program listed, please contactsecurity@flutter.dev.
Google considers Flutter to be in scope for theGoogle Open Source Software Vulnerability Reward Program.
The best way to receive security updates is to subscribe to theflutter-announce mailing list or updates to the Discordchannel.We will also announce security advisories in the technical release blog post.
- If team members need additional help, as a Googler they can reviewDash Security Playbook
- For more information on security advisories, seethe GitHub documentation.
If team members from other organizations would like their team's playbook listed here for their reference (even if it is not a public resource), please submit a PR.