Unikraft is still in development phase; not all security features have been implemented. Nevertheless, the Unikraft project takes security seriously, and welcomes all security contributions.
Summary:
If you think you have found a security vulnerability in Unikraft, we invite you to report it privately to us through on our GitHub Security tab. Please do not disclose the vulnerability before coordinating with us; we will work together to determine a suitable disclosure timeframe.
For more information on how to use the GitHub security tab, please take a look at the official GitHub documentation.
The Unikraft security team is responsible for a) privately receiving security reports through the GitHub Security feature, b) triaging them, c) coordinating their fixes, as well as d) releasing advisories after (and, if appropriate, during) the fix of the vulnerability.
The security team is currently composed of the following community members:
Unikraft is a unikernel: a single protection domain operating system running a single application. This means that, by design, a userland application can freely access and modify the Unikraft kernel memory and control flow. Similarly, system call arguments are not, or only partially, sanitized.
Unikraft supports common security hardening features such as address-space layout randomization, control-flow integrity, or memory tagging. These would typically be applied to both the application and the kernel, and can be enabled to make exploits more difficult by relaxing the claim made in the above paragraph.
What do we consider a Unikraft security vulnerability?
As a rule of thumb, here are classes of bugs which we would consider as security vulnerabilities:
Based on these guidelines, the Unikraft security team remains responsible to decide whether or not a bug should be considered a Unikraft security vulnerability.
We follow the principles of responsible disclosure. This means:
Please do not request a CVE identifier. We will handle the assignment of CVE identifiers as part of our triage process, through GitHub Security.
As a community-driven project, we do not award bounties for vulnerability reports; however, if you wish so, we will mention your name and/or pseudonym in our security advisories.
We release security fixes to the Unikraft staging branch, which regularly transitions to stable. As Unikraft is still in development stages, we do not backport security fixes to older Unikraft releases. However, we maintain a list of disclosed vulnerabilities along with corresponding fix(es) on our security advisories page.
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe