luau-lang/luau
1
0
Fork 0
mirror of https://github.com/luau-lang/luau.git synced 2025-03-04 03:01:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
luau/SECURITY.md
ariel 86bf4ae42d
Revise some of the copytext in markdown files. (#1677) 
We have a bunch of small grammatical nits and slightly awkward phrasings
present in our existing markdown files. This is a small pass over all of
them to fix those, and to provide some additional updated information
that has become more clear over time (like additional users of Luau, or
our leveraging something akin to the Minus 100 Points philosophy for
evaluating RFCs).

---------

Co-authored-by: Varun Saini <61795485+vrn-sn@users.noreply.github.com>
2025-02-20 13:56:00 -08:00

1 KiB
Raw Blame History

Security Guarantees

Luau provides a safe sandbox that scripts can not escape from, short of vulnerabilities in custom C functions exposed by the host. This includes the virtual machine, builtin libraries and native code generation facilities.

Any source code can not result in memory safety errors or crashes during its compilation or execution. Violations of memory safety are considered vulnerabilities.

Note that Luau does not provide termination guarantees - some code may exhaust CPU or RAM resources on the system during compilation or execution.

The runtime expects valid bytecode as an input. Feeding bytecode that was not produced by Luau compiler into the VM is not supported, and doesn't come with any security guarantees; make sure to sign and/or encrypt the bytecode when it crosses a network or file system boundary to avoid tampering.

Reporting a Vulnerability

You can report security bugs via HackerOne. Please refer to the linked page for rules of the bounty program.