Google Git
Sign in
dart/external/github.com/flutter/flutter.git/d83134ae366e4b2e93c874f7a51260271d88c21a^!/.
commit
d83134ae366e4b2e93c874f7a51260271d88c21a
[log]
author
Ian Hickson <ian@hixie.ch>
Mon Jan 11 16:37:42 2021 -0800
committer
GitHub <noreply@github.com>
Mon Jan 11 16:37:42 2021 -0800
tree
69e5fdd8d3e6383d581274ca6b2b1fb44148bc95
parent
e143ac2d8504e9d53a4c0a06a56437d74b532879 [diff]
Create SECURITY.md (#72557)


diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..de0ac46
--- /dev/null
+++ b/SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+## Supported Versions
+
+We commit to publishing security updates for the version of Flutter currently
+on the `stable` branch.
+
+## Reporting a Vulnerability
+
+To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue,
+the steps you took to create the issue, affected versions, and if known, mitigations for the issue.
+
+We should reply within three working days, probably much sooner.
+
+We use GitHub's security advisory feature to track open security issues. You should expect
+a close collaboration as we work to resolve the issue you have resolved. Please reach out to
+`security@flutter.dev` again if you do not receive prompt attention and regular updates.
+
+You may also reach out to the team via our public [Discord] chat channels; however, please make
+sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about
+vulnerabilities in public if that could put users at risk.
+
+## Process
+
+This section describes the process used by the Flutter team when handling vulnerability reports.
+
+Vulnerability reports are received via the `security@flutter.dev` e-mail alias. Certain team members
+who have been designated the "vulnerability management team" receive these e-mails. When receiving
+such an e-mail, they will:
+
+0. Reply to the e-mail acknowledging its receipt, cc'ing `security@flutter.dev` so that the other
+   members of the team are aware that they are handling the issue.
+1. Create a new [security advisory](https://github.com/flutter/flutter/security/advisories/new).
+   One must be one of the repo admins to do this. Vulnerability management team members who are not
+   also a repo admin will reach out to the repo admins until they find one who can create the advisory.
+   The repo admins who are also vulnerability management team members are @Hixie, @tvolkert, and @pcsosinski.
+2. [Add the reporter](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)
+   to the security advisory so that they can get updates.
+3. Reopen https://github.com/flutter/flutter/issues/72555 to ensure that security vulnerabilities
+   will be checked during critical triage.
+4. Inform the relevant team lead, adding them to the security advisory.
+5. If the security issue does not yet have a CVE number, they will, as a Googler, see go/cve-request to
+   establish one.
+
+As the fix is being developed, they will then reach out to the reporter to ask them if they would like to be involved
+and whether they would like to be credited. For credit, the GitHub security advisory UI has a field
+that allows contributors to be credited.
+
+When the issue is resolved, they will contact the release team and our PR team to coordinate the publication of the security advisory.
+
+Security issues have the equivalent of a P0 priority level, but (other than via issue 72555) are
+not tracked explicitly in the issue database. This means that we attempt to fix them as quickly as possible.
+
+For more information on security advisories, see [the GitHub documentation](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project).
+
+If team members need additional help from Google, as a Googler, they can see go/vuln.