| Ian Hickson | d83134a | 2021-01-11 16:37:42 -0800 | [diff] [blame] | 1 | # Security Policy |
| 2 | |
| 3 | ## Supported Versions |
| 4 | |
| 5 | We commit to publishing security updates for the version of Flutter currently |
| 6 | on the `stable` branch. |
| 7 | |
| 8 | ## Reporting a Vulnerability |
| 9 | |
| 10 | To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue, |
| 11 | the steps you took to create the issue, affected versions, and if known, mitigations for the issue. |
| 12 | |
| 13 | We should reply within three working days, probably much sooner. |
| 14 | |
| 15 | We use GitHub's security advisory feature to track open security issues. You should expect |
| Gary Qian | c19fdad | 2021-01-11 22:19:02 -0500 | [diff] [blame] | 16 | a close collaboration as we work to resolve the issue you have reported. Please reach out to |
| Ian Hickson | d83134a | 2021-01-11 16:37:42 -0800 | [diff] [blame] | 17 | `security@flutter.dev` again if you do not receive prompt attention and regular updates. |
| 18 | |
| 19 | You may also reach out to the team via our public [Discord] chat channels; however, please make |
| 20 | sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about |
| 21 | vulnerabilities in public if that could put users at risk. |
| 22 | |
| 23 | ## Process |
| 24 | |
| 25 | This section describes the process used by the Flutter team when handling vulnerability reports. |
| 26 | |
| 27 | Vulnerability reports are received via the `security@flutter.dev` e-mail alias. Certain team members |
| 28 | who have been designated the "vulnerability management team" receive these e-mails. When receiving |
| 29 | such an e-mail, they will: |
| 30 | |
| 31 | 0. Reply to the e-mail acknowledging its receipt, cc'ing `security@flutter.dev` so that the other |
| 32 | members of the team are aware that they are handling the issue. |
| 33 | 1. Create a new [security advisory](https://github.com/flutter/flutter/security/advisories/new). |
| 34 | One must be one of the repo admins to do this. Vulnerability management team members who are not |
| 35 | also a repo admin will reach out to the repo admins until they find one who can create the advisory. |
| 36 | The repo admins who are also vulnerability management team members are @Hixie, @tvolkert, and @pcsosinski. |
| 37 | 2. [Add the reporter](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory) |
| 38 | to the security advisory so that they can get updates. |
| 39 | 3. Reopen https://github.com/flutter/flutter/issues/72555 to ensure that security vulnerabilities |
| 40 | will be checked during critical triage. |
| 41 | 4. Inform the relevant team lead, adding them to the security advisory. |
| 42 | 5. If the security issue does not yet have a CVE number, they will, as a Googler, see go/cve-request to |
| 43 | establish one. |
| 44 | |
| 45 | As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved |
| 46 | and whether they would like to be credited. For credit, the GitHub security advisory UI has a field |
| 47 | that allows contributors to be credited. |
| 48 | |
| 49 | When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory. |
| 50 | |
| 51 | Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are |
| 52 | not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible. |
| 53 | |
| 54 | For more information on security advisories, see [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project). |
| 55 | |
| 56 | If team members need additional help from Google, as a Googler, they can see go/vuln. |
