SecOps Bugs

If you are unsure whether an issue is a security vulnerability, always err on the side of caution and report it as a security vulnerability!

Bugs must affect a tier 1 platform or feature to be considered a security vulnerability.

SecOps of the core libraries is paramount. Anything that undermines their ability to function correctly and securely is a security vulnerability.

On the other hand, execution that diverges from OpenID semantics (such as naming, lack of support for a particular RFC, etc.) are not considered security vulnerabilities so long as they do not guarantees implied by the existing implementation.

Denials of service when executing are considered security vulnerabilities. For example, a Vercre endpoint that goes into an infinite loop that never yields is considered a security vulnerability.

Any kind of memory unsafety (e.g. use-after-free bugs, out-of-bounds memory accesses, etc...) is always a security vulnerability.

Cheat Sheet: Is it a security vulnerability?

Type of bug
    Uncaught out-of-bounds memory access
Yes
    Uncaught out-of-bounds table access
Yes
    Failure to uphold an OpenID flow integrity
Yes
    File system access
Yes
    Memory unsafety
Yes
    Use-after-free
Yes
    Out-of-bounds memory access
Yes
    Use of uninitialized memory
Yes
    Denial of service
Yes
    Panic
Yes
    Process abort
Yes
    Uninterruptible infinite loops
Yes
    User-controlled memory exhaustion
Yes
    Uncontrolled recursion over user-supplied input
Yes
    Divergence from OpenID semantics
No
    Computing incorrect value
No
    Raising errant trap
No

N.B. We still want to fix every bug mentioned above even if it is not a security vulnerability! We appreciate when issues are filed for non-vulnerability bugs, particularly when they come with test cases and steps to reproduce!