Qt's security relies on the infrastructure created and maintained by the Qt Group and Qt Project. This infrastructure involves the development, testing, and build environments. For example, there is an established code review process, a testing process using static analyzers and fuzzing tools, testing of third-party components, and further antivirus testing for each release. Qt also has an established process for handling security vulnerabilities.
The Qt Project specifies its security policy in QUIP 15. A summary of the security policy:
To report security issues in Qt Products, send an email to Security Mail List at security@qt-project.org. The Core Security Team monitors and moderates incoming emails on business days (excluding weekends). After sending an email to the Security Mail List, there will be an acknowledgment of receipt within two business days. If there is no response, then the reporter should contact the Chief Maintainer directly.
To report issues regarding The Qt Company services such as the website or Qt Account, email security@qt.io.
For commercial licensees, use the Security Issues category in the support portal to report issues to the Qt Company Support team. The reporter will be sent an acknowledgment when the issue is forwarded to the Security Mail List.
Visit the Responsible Vulnerability Disclosure Agreement page for more information.
Starting from Qt 6.8, the Qt installation includes Software Bill of Materials (SBOM) documents, containing information about installed Qt modules, packages, and third-party components in SPDX format. SBOM files allow users to track Qt installed packages for vulnerability management and license compliance.
Several Qt modules handle data such as user input and executable resources. Qt expects application developers to handle untrusted data appropriately. If a Qt API fetches and processes untrusted data before the application could do the processing, then Qt considers this API as security critical. Security critical APIs undergo extra scrutiny and testing during development.
In general, avoid unprocessed data from unknown sources if possible and perform safety procedures when handling data. Qt provides several mechanisms for processing data, such as validators for user input.
For more information, see Handling Untrusted Data.
Qt 6.5 introduces a cross-platform permission API for handling permissions. The permission API is for user-related private data and hardware such as contact lists, calendar, camera, and microphone.
For more information, see Application Permissions.
The Qt Project maintains a list of known vulnerabilities as a wiki which includes affected versions and possible mitigation.
For more information, see List of known vulnerabilities in Qt Products
As part of the free Business evaluation, we offer a free welcome call for companies, to talk about your requirements, and how the Felgo SDK & Services can help you. Just sign up and schedule your call.
Sign up now to start your free Business evaluation:
