Security policy #8006
+86
−1
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,10 @@ | ||
| blank_issues_enabled: false | ||
| contact_links: | ||
| - name: Question about wgpu | ||
| url: https://github.com/gfx-rs/wgpu/discussions/new/choose | ||
| about: Any questions about how to use wgpu should go here. | ||
| - name: Security concerns | ||
| url: https://github.com/gfx-rs/wgpu/security | ||
| about: > | ||
| If you have found a possible vulnerability in wgpu, please read this | ||
| security policy for information about reporting it confidentially. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,80 @@ | ||||||||||||||||
| # WGPU Security Policy | ||||||||||||||||
|
|
||||||||||||||||
| This document describes what is considered a security vulnerability in WGPU and | ||||||||||||||||
| how vulnerabilities should be reported. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Vulnerability Definition | ||||||||||||||||
|
|
||||||||||||||||
| WebGPU introduces a different threat model than is sometimes applied to | ||||||||||||||||
| GPU-related software. Unlike typical gaming or high-performance computing | ||||||||||||||||
| applications, where the software accessing GPU APIs is proprietary or | ||||||||||||||||
| obtained from a trusted developer, WebGPU makes GPU APIs available to | ||||||||||||||||
| arbitrary web applications. In the threat model of the web, malicious | ||||||||||||||||
| content should not be able to use the GPU APIs to access data or interfaces | ||||||||||||||||
| outside the intended scope for interaction with web content. | ||||||||||||||||
|
There was a problem hiding this comment. I think this paragraph could benefit from spelling out its point more explicitly, because the following text could be taken as limiting the scope of what is a vulnerability (“we mostly care about JavaScript WebGPU”), rather than expanding it (“we care about protection from misuse, not just doing the wrong thing in response to valid-according-to-the-spec input”). So, how about saying something like:
Suggested change
There was a problem hiding this comment. This seems reasonable to me, but I'll wait for some more input before changing it. The scope as I wrote it was intentionally narrow, because I didn't want to sign the project up for more work than necessary. But that concern aside, I agree that UB or data leaks reachable from the API ought to be considered a vulnerability. |
||||||||||||||||
|
|
||||||||||||||||
| The WGPU maintainers have discretion in assigning a severity to individual | ||||||||||||||||
| vulnerabilities. It is generally considered a high-severity vulnerability in | ||||||||||||||||
| WGPU if JavaScript or WebAssembly code, running with privileges of ordinary web | ||||||||||||||||
| content in a browser that is using WGPU to provide the WebGPU API to that | ||||||||||||||||
| content, is able to: | ||||||||||||||||
|
|
||||||||||||||||
| - Access data associated with native applications other than the user agent, | ||||||||||||||||
| or associated with other web origins. | ||||||||||||||||
| - Escape the applicable sandbox and run arbitrary code or call arbitrary system | ||||||||||||||||
| APIs on the user agent host. | ||||||||||||||||
| - Consume system resources to the point that it is difficult to recover | ||||||||||||||||
| (e.g. by closing the web page). | ||||||||||||||||
|
|
||||||||||||||||
| The WGPU Rust API offers some functionality, both supported and experimental, | ||||||||||||||||
| that is not part of the WebGPU standard and is not made available in JavaScript | ||||||||||||||||
| environments using WGPU. Associated vulnerabilities may be assigned lower | ||||||||||||||||
| severity than vulnerabilities that apply to a WGPU-based WebGPU implementation | ||||||||||||||||
| exposed to JavaScript. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Supported Versions | ||||||||||||||||
|
|
||||||||||||||||
| The WGPU project maintains security support for serious vulnerabilities in the | ||||||||||||||||
| [most recent major release](https://github.com/gfx-rs/wgpu/releases). Fixes for | ||||||||||||||||
| security vulnerabilities found shortly after the initial release of a major | ||||||||||||||||
| version may also be provided for the previous major release. | ||||||||||||||||
|
|
||||||||||||||||
| Mozilla provides security support for versions of WGPU used in [current | ||||||||||||||||
| versions of Firefox](https://whattrainisitnow.com/). | ||||||||||||||||
|
|
||||||||||||||||
| The version of WGPU that is active can be found in the Firefox repositories: | ||||||||||||||||
|
|
||||||||||||||||
| - [release](https://github.com/mozilla-firefox/firefox/blob/release/gfx/wgpu_bindings/Cargo.toml), | ||||||||||||||||
| - [beta](https://github.com/mozilla-firefox/firefox/blob/beta/gfx/wgpu_bindings/Cargo.toml), and | ||||||||||||||||
| - [nightly](https://github.com/mozilla-firefox/firefox/blob/main/gfx/wgpu_bindings/Cargo.toml), | ||||||||||||||||
|
|
||||||||||||||||
| We welcome reports of security vulnerabilities in any of these released | ||||||||||||||||
| versions or in the latest code on the `trunk` branch. | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| ## Reporting a Vulnerability | ||||||||||||||||
|
|
||||||||||||||||
| Although not all vulnerabilities in WGPU will affect Firefox, Mozilla accepts | ||||||||||||||||
| all vulnerability reports for WGPU and directs them appropriately. Additionally, | ||||||||||||||||
| Mozilla serves as the CVE numbering authority for the WGPU project. | ||||||||||||||||
|
|
||||||||||||||||
| To report a security problem with WGPU, create a bug in Mozilla's Bugzilla | ||||||||||||||||
| instance in the | ||||||||||||||||
| [Core :: Graphics :: WebGPU](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Graphics%3A+WebGPU&groups=core-security) | ||||||||||||||||
| component. | ||||||||||||||||
|
|
||||||||||||||||
| **IMPORTANT: For security issues, please make sure that you check the box | ||||||||||||||||
|
There was a problem hiding this comment. suggestion: I think we should also include the There was a problem hiding this comment. Given discussion, if this note is added, it'd need to be acknowledged that somebody might not see it if they're not part of the Graphics security group. |
||||||||||||||||
| labelled "Many users could be harmed by this security problem".** We advise | ||||||||||||||||
| that you check this option for anything that is potentially | ||||||||||||||||
| security-relevant, including memory safety, crashes, race conditions, and | ||||||||||||||||
| handling of confidential information. | ||||||||||||||||
|
|
||||||||||||||||
| Review Mozilla's [guides on bug | ||||||||||||||||
| reporting](https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html) before | ||||||||||||||||
| you open a bug. | ||||||||||||||||
|
|
||||||||||||||||
| Mozilla operates a [bug bounty | ||||||||||||||||
| program](https://www.mozilla.org/en-US/security/bug-bounty/). Some | ||||||||||||||||
| vulnerabilities in this project may be eligible. | ||||||||||||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't the name of the project generally written “
wgpu”, not “WGPU”? Not that that isn’t awkward sometimes, but this should be consistent with the rest of the project documentation.(Arguably, though, the name
wgpushould be interpreted as referring to the Rust cratewgpu, which I assume isn't used by Firefox for its WebGPU implementation?)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we don't use either one consistently. The README uses "wgpu", but the GOVERNANCE and CONTRIBUTING documents use "WGPU".
I'm happy to change this document to whichever is preferred.