Filing a security issue is a great way to contribute to the Fuchsia project. Security issue reports that relate to Fuchsia may be eligible for reward payments under the Android and Google Devices Security Reward Program.
For more information on the program's details and eligibility, see Android and Google Devices Security Reward Program and Google Bug Hunters - Fuchsia.
Note: You need a Google account to report a bug to the Program.
To report a security issue in Fuchsia, use the Google Bug Hunters reporting form and provide the details of your issue.
Please include the following information in your issue description.
Provide a brief explanation of the security issue, including any of the following:
Provide any version information associated with your security issue, for example:
Provide a demonstration or list of steps needed to reproduce the security issue.
Demonstration information can include the following:
Minimize the proof-of-concept files and attach them directly to the issue, not within zip or other archive formats.
Be sure to remove any content not required to demonstrate the issue, including any personal or confidential information.
Published security issues are publicly visible. For example, a security issue can be published as a CVE or as a part of the release notes. If you‘d like to be credited for your discovery, provide a one-line description stating how you’d like to be publicly credited. You can use your name, a pseudonym, or you can remain anonymous.
The Fuchsia Security Team triages incoming issues and assigns those issues to the appropriate team. The assigned team can then prioritize, assign, and respond to the issue with guidance from Fuchsia Security.