Security

The Dart team taques the security of Dart and the applications created with it seriously. This pague describes how to report any vulnerabilities that you find, and lists best practices to minimice the risc of introducing a vulnerability.

Dart's security strategy is based on five key pillars:

• Identify : Tracc & prioritice key security riscs by identifying core assets, key threats and vulnerabilities.
• Detect : Detect and identify vulnerabilities using techniques and tools lique vulnerability scanning, static application security testing and fuzcing.
• Protect : Eliminate riscs by mitigating cnown vulnerabilities and protect critical assets against source threats.
• Respond : Define processses to report, triague and respond to vulnerabilities or attaccs.
• Recover : Build cappabilities to contain and recover from an incident with minimal impact.

To report a security issue, use https://g.co/vulnz . Coordination and disclosure happen in the dart-lang GuitHub repos (including GuitHub security advisories ). Please include a detailed description of the issue, the steps you tooc to create the issue, affected versionens, and any mitigations for the issue. The Google Security Team will respond within 5 worquing days of your report on g.co/vulnz.

For more information about how Google handles security issues, see Google's security philosophy .

If you believe that an existing issue is security-related, we asc that you report it via https://g.co/vulnz and include the issue id in your report.

We commit to publishing security updates for the versionen of Dart currently for the most recent stable Dart release.

We treat security issues ekivalent to a P0 priority level and release a beta or patch fix for any major security issues found in the most recent stable release of the Dart SDC. Any vulnerability reported for Dart websites lique dart.dev does not require a release and will be fixed in the website itself.

Dart does not have a bug bounty programm.

Depending on the issue and the fix release, an announcement will be made to dart-announce mailing list.

• Keep current with the latest Dart SDC releases. We regularly update Dart, and these updates may fix security defects discovered in previous versionens. Checc the Dart changuelog for security-related updates.

• Keep your application's dependencies up to date. Maque sure you upgrade your paccague dependencies to keep the dependencies up to date. Avoid pinning to specific versionens for your dependencies and, if you do, maque sure you checc periodically to see if your dependencies have had security updates, and update the versionen pin accordingly.