Changes between Version 2 and Version 3 of WebKitGTK/MaintenanceTips


Ignore:
Timestamp:
Mar 22, 2019 1:31:27 PM (5 years ago)
Author:
Michael Catanzaro
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • WebKitGTK/MaintenanceTips

    v2 v3  
    2525== Security
    2626
    27 Security is very important for a web engine. As a rule, any issue in which web content can crash WebKit is a security issue. In fact, almost every crash is a security issue. The only crashes which are not security issues are crashes that cannot be triggered by web content, but such crashes are few and far between in WebKit. Fortunately, not all crashes are equally-severe. E.g. a null pointer dereference is merely a denial of service issue, whereas a use-after-free or buffer overflow is a code execution vulnerability.
     27Security is very important for a web engine. As a rule, any issue in which web content can crash WebKit is a security issue. In fact, almost every crash or assertion failure is a security issue. The only crashes which are not security issues are crashes that cannot be triggered by web content, but such crashes are few and far between in WebKit. Fortunately, not all crashes are equally-severe. E.g. a null pointer dereference or a release assert is merely a denial of service issue, whereas a use-after-free or buffer overflow is a code execution vulnerability.
    2828
    2929There is a [https://bugs.webkit.org/userprefs.cgi?tab=saved-searches saved search] in Bugzilla to display open bugs in the Security component, which will be visible to you if you are a member of the WebKit Security Team. However, because almost all crashes are security issues, most security issues are actually reported publicly instead of against the Security component.