Below are the versions of the OpenTelemetry API for Dart that are currently supported with security updates:
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8.0 | ❌ |
We take the security of OpenTelemetry API for Dart seriously. If you believe you have found a security vulnerability, please follow these steps:
- Do not disclose the vulnerability publicly
- Contact the maintainers privately - Email security@dartastic.io with details of the vulnerability
- Provide sufficient information to reproduce the issue, including:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation if available
After you report a vulnerability:
- Acknowledgment - You will receive acknowledgment of your report within 48 hours
- Verification - Our team will work to verify the vulnerability
- Remediation Plan - We will develop a plan to address the vulnerability
- Public Disclosure - Once a fix is available, we will coordinate with you on public disclosure
When using OpenTelemetry API for Dart:
- Keep the package updated to the latest supported version
- Review your telemetry data to ensure sensitive information is not inadvertently collected
- Apply appropriate access controls to your telemetry data collection endpoints
- Consider using TLS for all telemetry data transmission
When implementing OpenTelemetry:
- Data Minimization - Only collect the telemetry data necessary for your use case
- PII Protection - Avoid including personally identifiable information in spans or metrics
- Sensitive Data - Avoid including sensitive information such as authentication tokens in attributes
Our disclosure policy is:
- Security issues will be announced via GitHub security advisories
- CVEs will be requested when appropriate
- Fixed versions will be clearly identified in release notes