document vulnerability reporting process

[jonasfj]

Inspired by https://docs.npmjs.com/reporting-a-vulnerability-in-an-npm-package

We should have a vulnerability reporting process, along the lines of:

1. Vulnerability in a pub package is report to us.
2. A team of our Dart security experts reviews the vulnerability.
3. We contact the package author, giving them 45 days to address the issue.
4. After 45 days we publish the report on pub.dartlang.org as a flag associated with the affected versions of the given package.
5. Doing pub get will print notices attached to packages, or something like that...

Credits to @kibantony for suggesting this in dart-lang/pub#2106.

[amreniouinnovent]

@jonasfj Do you have an example of vulnerability in dart?

[jonasfj]

Packages that are security sensitive could easily have vulnerabilities, for example earlier versions of package:sanitize_html would sanitize <strong></strong> into <strong/> which could break the HTML structure. This and more serious bugs in package:sanitize_html could be considered a vulnerability.

[IchordeDionysos]

@jonasfj are there any concrete plans to implement this?

[jonasfj]

@IchordeDionysos, at the moment we're focused on everything we can do to support null-safety beta release.

I don't know when we'll get around to addressing this, there are many similar features on the drawing board. There is some work on warnings in the clients, that logic will probably end up supporting vulnerability warnings as well.

Why do ask?

[IchordeDionysos]

@jonasfj makes sense, honestly, I am myself more hyped about null-safety than security 😂

However, this does not mean that it's less important.
For us, this is simply about reducing risk, knowing that is a system in place. So we get notified somehow about unsecure package versions we use that we should update immediately.
We do check each package and version, but this does not mean we detect everything.

[IchordeDionysos]

Could be the perfect database for the vulnerabilities:

"GitHub - google/osv: Open source vulnerability DB and triage service." https://github.com/google/osv

[miDeb]

Hi, so what is the correct thing to do if you find a security issue in a package? I'm not sure it's a severe issue but the mantainer is apparently not responsive.