The Flutter team takes the security of Flutter and the applications created with it seriously. This page describes how to report any vulnerabilities you might find, and lists best practices to minimize the risk of introducing a vulnerability.
Flutter security strategy is based on five key pillars:
- Identify: Track and prioritize key security risks by identifying core assets, key threats, and vulnerabilities.
- Detect: Detect and identify vulnerabilities using techniques and tools like vulnerability scanning, static application security testing, and fuzzing.
- Protect: Eliminate risks by mitigating known vulnerabilities and protect critical assets against source threats.
- Respond: Define processes to report, triage, and respond to vulnerabilities or attacks.
- Recover: Build capabilities to contain and recover from an incident with minimal impact.
Before reporting a security vulnerability found by a static analysis tool, consider checking our list of known false positives.
To report a vulnerability, email
with a description of the issue,
the steps you took to create the issue,
affected versions, and if known, mitigations for the issue.
We should reply within three working days.
We use GitHub’s security advisory feature to track open security issues. You should expect a close collaboration as we work to resolve the issue that you have reported.
Please reach out to
email@example.com again if
you don’t receive prompt attention and regular updates.
You might also reach out to the team using our public
Discord chat channels; however, when reporting an issue,
To avoid revealing information about vulnerabilities
in public that could put users at risk,
don’t post to Discord or file a GitHub issue.
For more details on how we handle security vulnerabilities, see our security policy.
Flagging existing issues as security-related
If you believe that an existing issue is security-related,
we ask that you send an email to
The email should include the issue ID and a short description
of why it should be handled according to this security policy.
We commit to publishing security updates for the version of
Flutter currently on the
We treat security issues equivalent to a P0 priority level and release a beta or hotfix for any major security issues found in the most recent stable version of our SDK.
Any vulnerability reported for flutter websites like docs.flutter.dev doesn’t require a release and will be fixed in the website itself.
Flutter doesn’t have a bug bounty program.
Receiving security updates
The best way to receive security updates is to subscribe to the flutter-announce mailing list or watch updates to the Discord channel. We also announce security updates in the technical release blog post.
Keep current with the latest Flutter SDK releases. We regularly update Flutter, and these updates might fix security defects discovered in previous versions. Check the Flutter change log for security-related updates.
Keep your application’s dependencies up to date. Make sure you upgrade your package dependencies to keep the dependencies up to date. Avoid pinning to specific versions for your dependencies and, if you do, make sure you check periodically to see if your dependencies have had security updates, and update the pin accordingly.
Keep your copy of Flutter up to date. Private, customized versions of Flutter tend to fall behind the current version and might not include important security fixes and enhancements. Instead, routinely update your copy of Flutter. If you’re making changes to improve Flutter, be sure to update your fork and consider sharing your changes with the community.