mirror of
https://github.com/luau-lang/luau.git
synced 2024-12-12 21:10:37 +00:00
48172dd5b1
Note that native code gen is currently exempt from any security guarantees as it's a pre-production R&D component right now. This will change in the future as we deploy it to production.
14 lines
1.1 KiB
Markdown
14 lines
1.1 KiB
Markdown
# Security Guarantees
|
|
|
|
Luau provides a safe sandbox that scripts can not escape from, short of vulnerabilities in custom C functions exposed by the host. This includes the virtual machine and builtin libraries. Notably this currently does *not* include the work-in-progress native code generation facilities.
|
|
|
|
Any source code can not result in memory safety errors or crashes during its compilation or execution. Violations of memory safety are considered vulnerabilities.
|
|
|
|
Note that Luau does not provide termination guarantees - some code may exhaust CPU or RAM resources on the system during compilation or execution.
|
|
|
|
The runtime expects valid bytecode as an input. Feeding bytecode that was not produced by Luau compiler into the VM is not supported and
|
|
doesn't come with any security guarantees; make sure to sign and/or encrypt the bytecode when it crosses a network or file system boundary to avoid tampering.
|
|
|
|
# Reporting a Vulnerability
|
|
|
|
You can report security bugs via [Hackerone](https://hackerone.com/roblox). Please refer to the linked page for rules of the bounty program.
|