We commit to publishing security updates for the version of Flutter currently on the stable
branch.
To report a vulnerability, please e-mail security@flutter.dev
with a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations for the issue.
We should reply within three working days, probably much sooner.
We use GitHub's security advisory feature to track open security issues. You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to security@flutter.dev
again if you do not receive prompt attention and regular updates.
You may also reach out to the team via our public [Discord] chat channels; however, please make sure to e-mail security@flutter.dev
when reporting an issue, and avoid revealing information about vulnerabilities in public if that could put users at risk.
This section describes the process used by the Flutter team when handling vulnerability reports.
Vulnerability reports are received via the security@flutter.dev
e-mail alias. Certain team members who have been designated the “vulnerability management team” receive these e-mails. When receiving such an e-mail, they will:
security@flutter.dev
so that the other members of the team are aware that they are handling the issue.As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved and whether they would like to be credited. For credit, the GitHub security advisory UI has a field that allows contributors to be credited.
When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory.
Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible.
For more information on security advisories, see the GitHub documentation.
If team members need additional help from Google, as a Googler, they can see go/vuln.