Security policy #8006
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,8 @@ | ||
| blank_issues_enabled: false | ||
| contact_links: | ||
| - name: Question about wgpu | ||
| url: https://github.com/gfx-rs/wgpu/discussions/new/choose | ||
| about: Any questions about how to use wgpu should go here. | ||
| - name: Security concerns | ||
| url: https://github.com/gfx-rs/wgpu/security | ||
| about: Information about reporting possible vulnerabilities. | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,79 @@ | ||||||||||||||||
| # WGPU Security Policy | ||||||||||||||||
|
|
||||||||||||||||
| This document describes what is considered a security vulnerability in WGPU and | ||||||||||||||||
cwfitzgerald marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| how vulnerabilities should be reported. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Vulnerability Definition | ||||||||||||||||
|
|
||||||||||||||||
| WebGPU introduces a different threat model than is sometimes applied to | ||||||||||||||||
| GPU-related software. Unlike typical gaming or high-performance computing | ||||||||||||||||
| applications, where the software accessing GPU APIs is proprietary or | ||||||||||||||||
| obtained from a trusted developer, WebGPU makes GPU APIs available to | ||||||||||||||||
| arbitrary web applications. In the threat model of the web, malicious | ||||||||||||||||
| content should not be able to use the GPU APIs to access data or interfaces | ||||||||||||||||
| outside the intended scope for interaction with web content. | ||||||||||||||||
|
There was a problem hiding this comment. I think this paragraph could benefit from spelling out its point more explicitly, because the following text could be taken as limiting the scope of what is a vulnerability (“we mostly care about JavaScript WebGPU”), rather than expanding it (“we care about protection from misuse, not just doing the wrong thing in response to valid-according-to-the-spec input”). So, how about saying something like:
Suggested change
There was a problem hiding this comment. This seems reasonable to me, but I'll wait for some more input before changing it. The scope as I wrote it was intentionally narrow, because I didn't want to sign the project up for more work than necessary. But that concern aside, I agree that UB or data leaks reachable from the API ought to be considered a vulnerability. There was a problem hiding this comment. I think kpreids suggestion is fine and we should adopt it. There was a problem hiding this comment. What about the experimental APIs? They explicitly call out they may have UB and should be used with caution. Would these still get vulnerability reports? If so what would happen? There was a problem hiding this comment. @Vecvec I don't think the intent is to make a firm rule that UB in an experimental API is a vulnerability. It's more a statement that the sentiment of the project is that UB is always bad, so it would always be a bug if you can get UB by misusing the API. (Arguably that should be a given for a safe API, but in this context it's worth stating a position on arguable points.) It doesn't show up in this comment thread, but the paragraph immediately following this should help to provide some clarity that experimental APIs are not held to the same standard. There was a problem hiding this comment. Sorry, it's not the paragraph immediately following. It's the one a bit later starting "The WGPU Rust API offers some functionality, both supported and experimental...". There was a problem hiding this comment. To give some examples, I'd say that a simple RCE of the form "I give wgpu this carefully crafted buffer and it executes part of it with no sandbox" is a vulnerability, even in an experimental API. RCE of the form "if you have X and Y in memory for use as ROP gadgets and I can guess the stack canary and it's a particular phase of the moon" might not be a vulnerability in an experimental API. A DoS using a core API might be a vulnerability, a DoS using an experimental API is unlikely to be considered a vulnerability. But fundamentally, it's often not possible to anticipate what will go wrong; the goal here is just to have some security policy in place to make it clear that we do care about security, and to explain how to report vulnerabilities. Severity (on a scale down to "not a vulnerability at all") has to be assessed on a case-by-case basis. There was a problem hiding this comment.
Ah yes, I see it now. |
||||||||||||||||
|
|
||||||||||||||||
| While the WGPU maintainers have discretion in assigning a severity to | ||||||||||||||||
| individual vulnerabilities, it is generally considered a security vulnerability | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| in WGPU if Javascript or WebAssembly code running with privileges of ordinary | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| web content is able to: | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
|
|
||||||||||||||||
| - Access data associated with native applications other than the user agent, | ||||||||||||||||
| or associated with other web origins. | ||||||||||||||||
| - Escape the applicable sandbox and run arbitrary code or call arbitrary system | ||||||||||||||||
| APIs on the user agent host. | ||||||||||||||||
| - Consume system resources to the point that it is difficult to recover | ||||||||||||||||
| (e.g. by closing the web page). | ||||||||||||||||
|
|
||||||||||||||||
| The WGPU Rust API offers some functionality, both supported and experimental, | ||||||||||||||||
| that is not part of the WebGPU standard and is not made available in Javascript | ||||||||||||||||
| environments using WGPU. Associated vulnerabilities may be assigned lower | ||||||||||||||||
| severity than vulnerabilities that apply to a Javascript WebGPU implementation | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| based on WGPU. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Supported Versions | ||||||||||||||||
|
|
||||||||||||||||
| The WGPU project maintains security support for serious vulnerabilities in the | ||||||||||||||||
| [most recent major release](https://github.com/gfx-rs/wgpu/releases). Fixes for | ||||||||||||||||
| security vulnerabilities found shortly after the initial release of a major | ||||||||||||||||
| version may also be provided for the previous major release. | ||||||||||||||||
|
|
||||||||||||||||
| Mozilla provides security support for versions of WGPU used in [current | ||||||||||||||||
| versions of Firefox](https://whattrainisitnow.com/). | ||||||||||||||||
|
|
||||||||||||||||
| The version of WGPU that is active can be found in the Firefox repositories: | ||||||||||||||||
|
|
||||||||||||||||
| - [release](https://github.com/mozilla-firefox/firefox/blob/release/gfx/wgpu_bindings/Cargo.toml), | ||||||||||||||||
| - [beta](https://github.com/mozilla-firefox/firefox/blob/beta/gfx/wgpu_bindings/Cargo.toml), and | ||||||||||||||||
| - [nightly](https://github.com/mozilla-firefox/firefox/blob/main/gfx/wgpu_bindings/Cargo.toml), | ||||||||||||||||
|
|
||||||||||||||||
| We welcome reports of security vulnerabilities in any of these released | ||||||||||||||||
| versions or in the latest code on the `trunk` branch. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Reporting a Vulnerability | ||||||||||||||||
|
|
||||||||||||||||
| Although not all vulnerabilities in WGPU will affect Firefox, Mozilla accepts | ||||||||||||||||
| all vulnerability reports for WGPU and directs them appropriately. Additionally, | ||||||||||||||||
| Mozilla serves as the CVE numbering authority for the WGPU project. | ||||||||||||||||
|
|
||||||||||||||||
| To report a security problem with WGPU, create a bug in Mozilla's Bugzilla | ||||||||||||||||
| instance in the [Core :: | ||||||||||||||||
| Graphics :: WebGPU](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Graphics%3A+WebGPU) | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| component. | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
|
|
||||||||||||||||
| **IMPORTANT: For security issues, please make sure that you check the box | ||||||||||||||||
andyleiserson marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||
| labelled "Many users could be harmed by this security problem".** We advise | ||||||||||||||||
| that you check this option for anything that is potentially | ||||||||||||||||
| security-relevant, including memory safety, crashes, race conditions, and | ||||||||||||||||
| handling of confidential information. | ||||||||||||||||
|
|
||||||||||||||||
| Review Mozilla's [guides on bug | ||||||||||||||||
| reporting](https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html) before | ||||||||||||||||
| you open a bug. | ||||||||||||||||
|
|
||||||||||||||||
| Mozilla operates a [bug bounty | ||||||||||||||||
| program](https://www.mozilla.org/en-US/security/bug-bounty/). Some | ||||||||||||||||
| vulnerabilities in this project may be eligible. | ||||||||||||||||
Uh oh!
There was an error while loading. Please reload this page.