Back to Doc.qt.io
Contact Us Blog Download Qt

Security in Qt

Qt's security relies on the infrastructure created and maintained by the Qt Group and Qt Project. This infrastructure involves the development, testing, and build environments. For example, there is an established code review process, a testing process using static analyzers and fuzzing tools, testing of third-party components, and further antivirus testing for each release. Qt also has an established process for handling security vulnerabilities.

Qt Project Security Policy

The Qt Project specifies its security policy in QUIP 15. A summary of the security policy:

  • Qt has a Core Security Team that enforces the security policy and addresses issues.
  • Proactive measures to prevent security issues - code reviews, code analysis, fuzz testing, and so on.
  • Reporting Security Issues: the Core Security Team monitors security issues for Qt modules and affected third-party components.
  • Handling Security Issues: the maintainers, Core Security Team, Chief Maintainer, and the Qt Company share and handle security issues.
  • Disclosure of confirmed security issues at Common Vulnerabilities and Exposures database and a public announcement to the Qt announce@qt-project.org mailing list.

Reporting Security Issues

To report security issues, send an email to Security Mail List at security@qt-project.org. The Core Security Team monitors and moderates incoming emails on business days (excluding weekends). After sending an email to the Security Mail List, there will be an acknowledgment of receipt within two business days. If there is no response, then the reporter should contact the Chief Maintainer directly.

For commercial licensees, use the Security Issues category in the support portal to report issues to the Qt Company Support team. The reporter will be sent an acknowledgment when the issue is forwarded to the Security Mail List.

Software Bill of Materials (SBOM)

Starting from Qt 6.8, the Qt installation includes Software Bill of Materials (SBOM) documents, containing information about installed Qt modules, packages, and third-party components in SPDX format. SBOM files allow users to track Qt installed packages for vulnerability management and license compliance.

Untrusted Data

Several Qt modules handle data such as user input and executable resources. Qt expects application developers to handle untrusted data appropriately. If a Qt API fetches and processes untrusted data before the application could do the processing, then Qt considers this API as security critical. Security critical APIs undergo extra scrutiny and testing during development.

In general, avoid unprocessed data from unknown sources if possible and perform safety procedures when handling data. Qt provides several mechanisms for processing data, such as validators for user input.

For more information, see Handling Untrusted Data.

Permissions

Qt 6.5 introduces a cross-platform permission API for handling permissions. The permission API is for user-related private data and hardware such as contact lists, calendar, camera, and microphone.

For more information, see Application Permissions.

© 2024 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.