We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:
- Do not open a public issue for security vulnerabilities
- Email security concerns to the repository maintainer
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Development: Depends on severity (critical issues prioritized)
- Disclosure: After fix is released
This project executes CUDA kernels on GPU hardware. Key security considerations:
- Memory Safety: All GPU memory operations use
CUDA_CHECK()for error handling - Input Validation: Public APIs validate input dimensions and pointers
- Buffer Bounds: Matrix operations check for integer overflow before allocation
The custom binary weight format includes:
- Magic number validation
- Version checking
- Layer dimension bounds checking
Note: Weight files do not include cryptographic signatures. Users should verify file integrity through external means for production deployments.
| Dependency | Security Notes |
|---|---|
| CUDA Toolkit | Follow NVIDIA security advisories |
| cuBLAS | Part of CUDA Toolkit |
| Google Test | Only used for testing, not production |
- No GPU Isolation: CUDA kernels run with the same permissions as the host process
- No Weight Encryption: Weight files are stored in plaintext
- No Rate Limiting: Inference engine has no built-in rate limiting
Security updates will be released as patch versions and documented in:
Last updated: April 2024