From b7254ef10eadb960b3b78577d61299ec66a79630 Mon Sep 17 00:00:00 2001 From: khyati82 <61220466+khyati82@users.noreply.github.com> Date: Fri, 22 Apr 2022 12:21:00 -0700 Subject: [PATCH 1/3] Update index.md Modifying security policy on flutter.dev website --- src/security/index.md | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/src/security/index.md b/src/security/index.md index cb1e0f1081..08845b612f 100644 --- a/src/security/index.md +++ b/src/security/index.md @@ -7,23 +7,45 @@ created with it seriously. This page describes how to report any vulnerabilities you may find, and lists best practices to minimize the risk of introducing a vulnerability. +## Security Philosophy +Flutter security strategy is based on five key pillars + +* **Identify**: Track & prioritize key security risks by identifying core assets, key threats and vulnerabilities. +* **Detect**: Detect and identify vulnerabilities using techniques and tools like vulnerability scanning, static application security testing and fuzzing. +* **Protect**: Eliminate risks by mitigating or remediating known vulnerabilities and protect critical assets against source threats. +* **Respond**: Define processes to report, triage and respond to vulnerabilities or attacks. +* **Recover**: Build capabilities to contain and recover from an incident with minimal impact. + ## Reporting vulnerabilities -To report a vulnerability, please e-mail `security@flutter.dev` with a description of the issue, +To report a vulnerability, please email `security@flutter.dev` with a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations for the issue. -We should reply within three working days, probably much sooner. - -We use GitHub's security advisory feature to track open security issues. You should expect -a close collaboration as we work to resolve the issue you have reported. Please reach out to -`security@flutter.dev` again if you do not receive prompt attention and regular updates. +We should reply within three working days. -You may also reach out to the team via our public [Discord]({{site.repo.flutter}}/wiki/Chat) chat channels; however, please make -sure to e-mail `security@flutter.dev` when reporting an issue, and avoid revealing information about -vulnerabilities in public if that could put users at risk. +We use GitHub’s security advisory feature to track open security issues. You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to `security@flutter.dev` again if you do not receive prompt attention and regular updates. You may also reach out to the team via our public [Discord](https://github.com/flutter/flutter/wiki/Chat) chat channels; however, when reporting an issue, please e-mail `security@flutter.dev` instead of Discord or filing a github issue to avoid revealing information about vulnerabilities in public that could put users at risk. For more details on how we handle security vulnerabilities, please see our [internal processes]({{site.repo.flutter}}/security/policy). +## Flagging Existing Issues as Security-related +If you believe that an existing issue is security-related, we ask that you send an email to `security@flutter.dev`. The email should include the issue ID and a short description of why it should be handled according to this security policy. + +## Supported Versions + +We commit to publishing security updates for the version of Flutter currently +on the `stable` branch. + +## Expectations + +We treat security issues equivalent to a P0 priority level. We will release a beta or hotfix for any major security issues found in the most recent stable version of our SDK. Any vulnerability reported for flutter websites like flutter.dev does not require a release and will be fixed in the website itself. + +Flutter does not have a bug bounty program. + +## Receiving security updates + +The best way to receive security updates is to subscribe to the [flutter-announce](https://groups.google.com/forum/#!forum/flutter-announce) mailing list or updates to the Discord [channel](https://discord.com/channels/608014603317936148/608116355836805126). +In addition to publishing github security advisory, we will also announce security updates in the technical release blog post. + ## Best practices * **Keep current with the latest Flutter SDK releases.** From d13e06fb1daa40df515ef52e333d0f7b6d956327 Mon Sep 17 00:00:00 2001 From: khyati82 <61220466+khyati82@users.noreply.github.com> Date: Fri, 22 Apr 2022 13:11:49 -0700 Subject: [PATCH 2/3] Update index.md --- src/security/index.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/security/index.md b/src/security/index.md index 08845b612f..62735e922f 100644 --- a/src/security/index.md +++ b/src/security/index.md @@ -7,12 +7,13 @@ created with it seriously. This page describes how to report any vulnerabilities you may find, and lists best practices to minimize the risk of introducing a vulnerability. -## Security Philosophy +## Security philosophy Flutter security strategy is based on five key pillars * **Identify**: Track & prioritize key security risks by identifying core assets, key threats and vulnerabilities. -* **Detect**: Detect and identify vulnerabilities using techniques and tools like vulnerability scanning, static application security testing and fuzzing. -* **Protect**: Eliminate risks by mitigating or remediating known vulnerabilities and protect critical assets against source threats. +* **Detect**: Detect and identify vulnerabilities using techniques and tools like vulnerability scanning, + static application security testing and fuzzing. +* **Protect**: Eliminate risks by mitigating known vulnerabilities and protect critical assets against source threats. * **Respond**: Define processes to report, triage and respond to vulnerabilities or attacks. * **Recover**: Build capabilities to contain and recover from an incident with minimal impact. @@ -27,24 +28,27 @@ We use GitHub’s security advisory feature to track open security issues. You s For more details on how we handle security vulnerabilities, please see our [internal processes]({{site.repo.flutter}}/security/policy). -## Flagging Existing Issues as Security-related +## Flagging existing issues as security-related If you believe that an existing issue is security-related, we ask that you send an email to `security@flutter.dev`. The email should include the issue ID and a short description of why it should be handled according to this security policy. -## Supported Versions +## Supported versions We commit to publishing security updates for the version of Flutter currently on the `stable` branch. ## Expectations -We treat security issues equivalent to a P0 priority level. We will release a beta or hotfix for any major security issues found in the most recent stable version of our SDK. Any vulnerability reported for flutter websites like flutter.dev does not require a release and will be fixed in the website itself. +We treat security issues equivalent to a P0 priority level and release a beta or hotfix for any major security issues found in the most recent stable version of our SDK. + +Any vulnerability reported for flutter websites like flutter.dev does not require a release and will be fixed in the website itself. Flutter does not have a bug bounty program. ## Receiving security updates -The best way to receive security updates is to subscribe to the [flutter-announce](https://groups.google.com/forum/#!forum/flutter-announce) mailing list or updates to the Discord [channel](https://discord.com/channels/608014603317936148/608116355836805126). -In addition to publishing github security advisory, we will also announce security updates in the technical release blog post. +The best way to receive security updates is to subscribe to the +[flutter-announce](https://groups.google.com/forum/#!forum/flutter-announce) mailing list or updates to the Discord [channel](https://discord.com/channels/608014603317936148/608116355836805126). +We will also announce security updates in the technical release blog post. ## Best practices From d912c0cd74968224c27a344b17772b69ddea0958 Mon Sep 17 00:00:00 2001 From: khyati82 <61220466+khyati82@users.noreply.github.com> Date: Fri, 22 Apr 2022 13:16:05 -0700 Subject: [PATCH 3/3] Update index.md --- src/security/index.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/security/index.md b/src/security/index.md index 62735e922f..0592248802 100644 --- a/src/security/index.md +++ b/src/security/index.md @@ -24,12 +24,15 @@ the steps you took to create the issue, affected versions, and if known, mitigat We should reply within three working days. -We use GitHub’s security advisory feature to track open security issues. You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to `security@flutter.dev` again if you do not receive prompt attention and regular updates. You may also reach out to the team via our public [Discord](https://github.com/flutter/flutter/wiki/Chat) chat channels; however, when reporting an issue, please e-mail `security@flutter.dev` instead of Discord or filing a github issue to avoid revealing information about vulnerabilities in public that could put users at risk. +We use GitHub’s security advisory feature to track open security issues. You should expect a close collaboration as we work to resolve the issue you have reported. + +Please reach out to `security@flutter.dev` again if you do not receive prompt attention and regular updates. You may also reach out to the team via our public [Discord](https://github.com/flutter/flutter/wiki/Chat) chat channels; however, when reporting an issue, please e-mail `security@flutter.dev` instead of Discord or filing a github issue to avoid revealing information about vulnerabilities in public that could put users at risk. For more details on how we handle security vulnerabilities, please see our [internal processes]({{site.repo.flutter}}/security/policy). ## Flagging existing issues as security-related -If you believe that an existing issue is security-related, we ask that you send an email to `security@flutter.dev`. The email should include the issue ID and a short description of why it should be handled according to this security policy. +If you believe that an existing issue is security-related, we ask that you send an email to `security@flutter.dev`. +The email should include the issue ID and a short description of why it should be handled according to this security policy. ## Supported versions