We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
Please report (suspected) security vulnerabilities to Github. You will receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
Please include the following information in your report:
- Type of issue (e.g., XSS, SQL injection, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
When using fluttercn:
- Keep your CLI tool updated to the latest version
- Review component code before adding to your project
- Don't commit sensitive information in your Flutter projects
- Follow Flutter security best practices
When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all releases still under maintenance
- Publish security advisories and releases
We credit security researchers who responsibly disclose vulnerabilities. If you would like to be credited, please include your name and/or handle in your report.