| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Do not open a public GitHub issue for security vulnerabilities.
Report via:
- GitHub Security Advisory (preferred) — Security tab → "Report a vulnerability"
- Email — security@betaversion.io with subject line
[SECURITY] xo-flutter
- Type of vulnerability
- Affected file(s) and location (tag / branch / commit)
- Steps to reproduce
- Proof-of-concept or exploit code if available
- Suggested fix if you have one
| Severity | Fix target |
|---|---|
| Critical | 1–7 days |
| High | 7–30 days |
| Medium | 30–90 days |
| Low | Best effort |
We will confirm receipt within 48 hours and credit you in the release notes unless you prefer to stay anonymous.
xo-flutter generates starter code. Users are responsible for the security of apps built from it. Key things to review before shipping:
- Replace placeholder
.envvalues with real secrets via a secret manager — never commit them - The generated
DioClientlogs full requests in debug mode (kDebugMode) — verify this is disabled in release builds - The generated
FlutterSecureStorageuses default Android/iOS keystore options — harden for your threat model - Firebase credentials (
google-services.json/GoogleService-Info.plist) should be gitignored in production repos