Qt's security relies on the infrastructure created and maintained by the Qt Group and Qt Project. This infrastructure involves the development, testing, and build environments. For example, there is an established code review process, a testing process using static analyzers and fuzzing tools, testing of third-party components, and further antivirus testing for each release. Qt also has an established process for handling security vulnerabilities.
The Qt Project specifies its security policy in QUIP 15 . A summary of the security policy:
To report security issues in Qt Products , send an email to Security Mail List at security@qt-project.org . The Core Security Team monitors and moderates incoming emails on business days (excluding weekends). After sending an email to the Security Mail List, there will be an acknowledgment of receipt within two business days. If there is no response, then the reporter should contact the Chief Maintainer 直接。
To report issues regarding The Qt Company services such as the website or Qt Account, email security@qt.io .
For commercial licensees, use the Security Issues category in the support portal to report issues to the Qt Company Support team. The reporter will be sent an acknowledgment when the issue is forwarded to the Security Mail List.
拜访 Responsible Vulnerability Disclosure Agreement 页面,了解更多信息。
Starting from Qt 6.8, the Qt installation includes Software Bill of Materials (SBOM) documents, containing information about installed Qt modules, packages, and third-party components in SPDX format. SBOM files allow users to track Qt installed packages for vulnerability management and license compliance.
Several Qt modules handle data such as user input and executable resources. Qt expects application developers to handle untrusted data appropriately. If a Qt API fetches and processes untrusted data before the application could do the processing, then Qt considers this API as security critical . Security critical APIs undergo extra scrutiny and testing during development.
In general, avoid unprocessed data from unknown sources if possible and perform safety procedures when handling data. Qt provides several mechanisms for processing data, such as validators for user input.
更多信息,见 Handling Untrusted Data .
Qt 6.5 introduces a cross-platform permission API for handling permissions. The permission API is for user-related private data and hardware such as contact lists, calendar, camera, and microphone.
更多信息,见 应用程序权限 .
The Qt Project maintains a list of known vulnerabilities as a wiki which includes affected versions and possible mitigation.
更多信息,见 List of known vulnerabilities in Qt Products
We acknowledge that your product may have a lifecycle that is longer than our usual support window for a given Qt release. We now offer maintenance services for customers with an end-of-support (EoS) version of Qt.
Extended Security Maintenance for Qt 5.15 begins 26th of May 2025. The Extended Security Maintenance subscription service provides you access to Critical Vulnerability and Security (CVS) maintenance patches relating to Qt libraries for select Long Term Support (LTS) releases after the end-of-support (EoS).
更多信息,见 Qt Support .
