|
| 1 | +# WGPU Security Policy |
| 2 | + |
| 3 | +This document describes what is considered a security vulnerability in WGPU and |
| 4 | +how vulnerabilities should be reported. |
| 5 | + |
| 6 | + |
| 7 | +## Vulnerability Definition |
| 8 | + |
| 9 | +WebGPU introduces a different threat model than is sometimes applied to |
| 10 | +GPU-related software. Unlike typical gaming or high-performance computing |
| 11 | +applications, where the software accessing GPU APIs is proprietary or |
| 12 | +obtained from a trusted developer, WebGPU makes GPU APIs available to |
| 13 | +arbitrary web applications. In the threat model of the web, malicious |
| 14 | +content should not be able to use the GPU APIs to access data or interfaces |
| 15 | +outside the intended scope for interaction with web content. Therefore, `wgpu` |
| 16 | +seeks to prevent undefined behavior and data leaks even when its API is |
| 17 | +misused, and failures to do so may be considered vulnerabilities. (This is |
| 18 | +also in accordance with the Rust principle of safe vs. unsafe code, since the |
| 19 | +`wgpu` library exposes a safe API.) |
| 20 | + |
| 21 | +The WGPU maintainers have discretion in assigning a severity to individual |
| 22 | +vulnerabilities. It is generally considered a high-severity vulnerability in |
| 23 | +WGPU if JavaScript or WebAssembly code, running with privileges of ordinary web |
| 24 | +content in a browser that is using WGPU to provide the WebGPU API to that |
| 25 | +content, is able to: |
| 26 | + |
| 27 | +- Access data associated with native applications other than the user agent, |
| 28 | + or associated with other web origins. |
| 29 | +- Escape the applicable sandbox and run arbitrary code or call arbitrary system |
| 30 | + APIs on the user agent host. |
| 31 | +- Consume system resources to the point that it is difficult to recover |
| 32 | + (e.g. by closing the web page). |
| 33 | + |
| 34 | +The WGPU Rust API offers some functionality, both supported and experimental, |
| 35 | +that is not part of the WebGPU standard and is not made available in JavaScript |
| 36 | +environments using WGPU. Associated vulnerabilities may be assigned lower |
| 37 | +severity than vulnerabilities that apply to a WGPU-based WebGPU implementation |
| 38 | +exposed to JavaScript. |
| 39 | + |
| 40 | + |
| 41 | +## Supported Versions |
| 42 | + |
| 43 | +The WGPU project maintains security support for serious vulnerabilities in the |
| 44 | +[most recent major release](https://github.com/gfx-rs/wgpu/releases). Fixes for |
| 45 | +security vulnerabilities found shortly after the initial release of a major |
| 46 | +version may also be provided for the previous major release. |
| 47 | + |
| 48 | +Mozilla provides security support for versions of WGPU used in [current |
| 49 | +versions of Firefox](https://whattrainisitnow.com/). |
| 50 | + |
| 51 | +The version of WGPU that is active can be found in the Firefox repositories: |
| 52 | + |
| 53 | +- [release](https://github.com/mozilla-firefox/firefox/blob/release/gfx/wgpu_bindings/Cargo.toml), |
| 54 | +- [beta](https://github.com/mozilla-firefox/firefox/blob/beta/gfx/wgpu_bindings/Cargo.toml), and |
| 55 | +- [nightly](https://github.com/mozilla-firefox/firefox/blob/main/gfx/wgpu_bindings/Cargo.toml), |
| 56 | + |
| 57 | +We welcome reports of security vulnerabilities in any of these released |
| 58 | +versions or in the latest code on the `trunk` branch. |
| 59 | + |
| 60 | + |
| 61 | +## Reporting a Vulnerability |
| 62 | + |
| 63 | +Although not all vulnerabilities in WGPU will affect Firefox, Mozilla accepts |
| 64 | +all vulnerability reports for WGPU and directs them appropriately. Additionally, |
| 65 | +Mozilla serves as the CVE numbering authority for the WGPU project. |
| 66 | + |
| 67 | +To report a security problem with WGPU, create a bug in Mozilla's Bugzilla |
| 68 | +instance in the |
| 69 | +[Core :: Graphics :: WebGPU](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Graphics%3A+WebGPU&groups=core-security&groups=gfx-core-security) |
| 70 | +component. |
| 71 | + |
| 72 | +**IMPORTANT: For security issues, please make sure that you check the box |
| 73 | +labelled "Many users could be harmed by this security problem".** We advise |
| 74 | +that you check this option for anything that is potentially |
| 75 | +security-relevant, including memory safety, crashes, race conditions, and |
| 76 | +handling of confidential information. |
| 77 | + |
| 78 | +Review Mozilla's [guides on bug |
| 79 | +reporting](https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html) before |
| 80 | +you open a bug. |
| 81 | + |
| 82 | +Mozilla operates a [bug bounty |
| 83 | +program](https://www.mozilla.org/en-US/security/bug-bounty/). Some |
| 84 | +vulnerabilities in this project may be eligible. |
0 commit comments