gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/SECURITY.md (about)

     1  # Security and Vulnerability Reporting
     2  
     3  Sensitive security-related questions, comments, and reports should be sent to
     4  the [gvisor-security mailing list][gvisor-security-list]. You should receive a
     5  prompt response, typically within 48 hours.
     6  
     7  ## Security issue taxonomy
     8  
     9  We distinguish the following type of issues, listed from most to least severe:
    10  
    11  -   Issues that go **beyond the sandbox boundary**:
    12      -   **Container escapes**: Issues that allow arbitrary code to run on the
    13          host machine.
    14          -   gVisor's purpose is to prevent these.
    15      -   **Data exfiltration** from the host: Issues that allow reading arbitrary
    16          files or file metadata from the host (other than those intended to be
    17          visible to the sandbox).
    18      -   **Sandbox-to-sandbox lateral movement**: Issues that allow arbitrary
    19          code execution in a different sandbox on the same host.
    20      -   **Denial-of-service attacks** that affect **the host kernel** (i.e.
    21          trigger a host kernel panic).
    22      -   **Denial-of-service attacks** that affect **other sandboxes on the same
    23          host**.
    24          -   This excludes things like causing CPU starvation when a sandbox is
    25              running without resource constraints.
    26  -   Issues that **remain confined to a single sandbox**:
    27      -   **Denial-of-service attacks** that affect a single sandbox and are
    28          **triggerable remotely** (e.g. by sending a specially-crafted network
    29          packet).
    30      -   **Privilege escalation within the sandbox** (e.g. being able to do what
    31          in-sandbox `root` would be able to do from an in-sandbox non-`root`
    32          user).
    33      -   **Denial-of-service attacks** that affect a single sandbox and are
    34          **triggerable from user code** running in that sandbox.
    35      -   **Data integrity issues** relative to Linux behavior.
    36          -   gVisor aims to be bug-for-bug compatible with Linux. While most
    37              compatibility issues are not security issues, it is conceivable that
    38              some compatibility issues may manifest as persistent data
    39              corruption; for example, differences in I/O syscall implementations
    40              may cause a database program to end up storing invalid data.
    41  
    42  While all of the above are security issues, we generally only assign CVEs for
    43  issues that go beyond the sandbox boundary. Since gVisor is a container security
    44  platform, its main security focus is on preventing a user workload from "getting
    45  out of the box", relative to issues that remain within the proverbial box.
    46  Therefore, security issues that remain contained to a single sandbox are not
    47  considered critical and are not given CVE numbers by default. If you would still
    48  like to get a CVE number issued, you may report it to
    49  [BugHunter](https://g.co/vulnz).
    50  
    51  ## Security list access
    52  
    53  Policies for security list access, vulnerability embargo, and vulnerability
    54  disclosure are outlined in the [governance policy](GOVERNANCE.md).
    55  
    56  [gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security