gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/SECURITY.md (about) 1 # Security and Vulnerability Reporting 2 3 Sensitive security-related questions, comments, and reports should be sent to 4 the [gvisor-security mailing list][gvisor-security-list]. You should receive a 5 prompt response, typically within 48 hours. 6 7 ## Security issue taxonomy 8 9 We distinguish the following type of issues, listed from most to least severe: 10 11 - Issues that go **beyond the sandbox boundary**: 12 - **Container escapes**: Issues that allow arbitrary code to run on the 13 host machine. 14 - gVisor's purpose is to prevent these. 15 - **Data exfiltration** from the host: Issues that allow reading arbitrary 16 files or file metadata from the host (other than those intended to be 17 visible to the sandbox). 18 - **Sandbox-to-sandbox lateral movement**: Issues that allow arbitrary 19 code execution in a different sandbox on the same host. 20 - **Denial-of-service attacks** that affect **the host kernel** (i.e. 21 trigger a host kernel panic). 22 - **Denial-of-service attacks** that affect **other sandboxes on the same 23 host**. 24 - This excludes things like causing CPU starvation when a sandbox is 25 running without resource constraints. 26 - Issues that **remain confined to a single sandbox**: 27 - **Denial-of-service attacks** that affect a single sandbox and are 28 **triggerable remotely** (e.g. by sending a specially-crafted network 29 packet). 30 - **Privilege escalation within the sandbox** (e.g. being able to do what 31 in-sandbox `root` would be able to do from an in-sandbox non-`root` 32 user). 33 - **Denial-of-service attacks** that affect a single sandbox and are 34 **triggerable from user code** running in that sandbox. 35 - **Data integrity issues** relative to Linux behavior. 36 - gVisor aims to be bug-for-bug compatible with Linux. While most 37 compatibility issues are not security issues, it is conceivable that 38 some compatibility issues may manifest as persistent data 39 corruption; for example, differences in I/O syscall implementations 40 may cause a database program to end up storing invalid data. 41 42 While all of the above are security issues, we generally only assign CVEs for 43 issues that go beyond the sandbox boundary. Since gVisor is a container security 44 platform, its main security focus is on preventing a user workload from "getting 45 out of the box", relative to issues that remain within the proverbial box. 46 Therefore, security issues that remain contained to a single sandbox are not 47 considered critical and are not given CVE numbers by default. If you would still 48 like to get a CVE number issued, you may report it to 49 [BugHunter](https://g.co/vulnz). 50 51 ## Security list access 52 53 Policies for security list access, vulnerability embargo, and vulnerability 54 disclosure are outlined in the [governance policy](GOVERNANCE.md). 55 56 [gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security