go-webgpu is currently in initial release (v0.x.x). We provide security updates for the following versions:

Future stable releases (v1.0+) will follow semantic versioning with LTS support.

We take security seriously. If you discover a security vulnerability in go-webgpu, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues by:

1. Private Security Advisory (preferred): https://github.com/go-webgpu/webgpu/security/advisories/new

2. Email to maintainers: Create a private GitHub issue or contact via discussions

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Affected versions (which versions are impacted)
• Potential impact (memory corruption, crashes, GPU resource leaks, etc.)
• Suggested fix (if you have one)
• Your contact information (for follow-up questions)

• Initial Response: Within 48-72 hours
• Triage & Assessment: Within 1 week
• Fix & Disclosure: Coordinated with reporter

We aim to:

1. Acknowledge receipt within 72 hours
2. Provide an initial assessment within 1 week
3. Work with you on a coordinated disclosure timeline
4. Credit you in the security advisory (unless you prefer to remain anonymous)

go-webgpu provides Go bindings to wgpu-native, which interfaces with GPU hardware. This introduces security considerations that users should be aware of.

Risk: go-webgpu uses FFI (Foreign Function Interface) to call native wgpu library functions.

Attack Vectors:

• Incorrect pointer handling in FFI calls
• Memory corruption from mismatched struct layouts
• Use-after-free from incorrect resource lifetime management

Mitigation:

• Careful struct layout matching with C headers
• Explicit resource cleanup with Release/Drop methods
• Extensive testing on all platforms
• golangci-lint with FFI-aware configuration

User Recommendations:

// Always release GPU resources when done device := adapter.CreateDevice(nil) defer device.Release() buffer := device.CreateBuffer(&wgpu.BufferDescriptor{...}) defer buffer.Release()

Risk: Improper resource management can exhaust GPU memory or cause driver crashes.

Attack Vectors:

• Creating buffers/textures without releasing them
• Infinite loops in compute shaders
• Excessive command buffer submissions

Mitigation:

• Explicit resource lifetime management
• wgpu-native's built-in validation layer
• Device lost callbacks for error recovery

User Best Practices:

// Enable validation in development instance := wgpu.CreateInstance(nil) // Use device lost callback device := adapter.CreateDevice(&wgpu.DeviceDescriptor{ DeviceLostCallback: func(reason wgpu.DeviceLostReason, message string) { log.Printf("Device lost: %v - %s", reason, message) }, }) // Always release resources defer texture.Release() defer buffer.Release() defer pipeline.Release()

Risk: WGSL shaders execute on GPU and could potentially cause issues.

Attack Vectors:

• Malformed WGSL causing driver crashes
• Infinite loops in shaders (GPU hang)
• Out-of-bounds buffer access in shaders

Mitigation:

• wgpu-native validates all WGSL shaders
• WebGPU spec mandates bounds checking
• No access to system resources from shaders
• Shader compilation errors are returned to application

User Recommendations:

// Always check shader compilation errors shaderModule, err := device.CreateShaderModule(&wgpu.ShaderModuleDescriptor{ WGSLDescriptor: &wgpu.ShaderModuleWGSLDescriptor{ Code: wgslSource, }, }) if err != nil { log.Printf("Shader compilation failed: %v", err) return err }

Risk: Mapped buffers provide direct memory access.

Attack Vectors:

• Reading unmapped buffer memory
• Writing beyond buffer bounds
• Using mapped pointer after unmap

Mitigation:

• WebGPU spec enforces mapping state machine
• Bounds checking in GetMappedRange
• wgpu-native validation

User Best Practices:

// Wait for map to complete before accessing buffer.MapAsync(wgpu.MapModeRead, 0, size, func(status wgpu.BufferMapAsyncStatus) { if status != wgpu.BufferMapAsyncStatusSuccess { return } // Only access after successful map data := buffer.GetMappedRange(0, size) // ... use data ... buffer.Unmap() // Don't use 'data' after Unmap! })

Risk: Surface creation requires platform-specific window handles.

Attack Vectors:

• Invalid window handle causing crashes
• Surface use after window destruction
• Cross-platform handle confusion

Mitigation:

• Platform-specific surface creation functions
• Validation of window handles where possible
• Clear documentation of lifetime requirements

User Recommendations:

// Ensure window is valid before creating surface surface, err := instance.CreateSurface(&wgpu.SurfaceDescriptor{ WindowsHWND: &wgpu.SurfaceDescriptorFromWindowsHWND{ Hwnd: hwnd, // Must be valid HWND }, }) if err != nil { return err } // Release surface before destroying window surface.Release() // Then destroy window

Risk: go-webgpu loads wgpu-native as a dynamic library.

Attack Vectors:

• DLL hijacking (malicious library in search path)
• Library version mismatch
• Missing library dependencies

Mitigation:

• Explicit library paths recommended
• Version checking at load time
• Clear error messages for missing libraries

User Best Practices:

// Set explicit library path if needed os.Setenv("WGPU_NATIVE_PATH", "/path/to/wgpu_native.dll") // Or place library in application directory

Always release GPU resources:

device := adapter.CreateDevice(nil) defer device.Release() // Create resources buffer := device.CreateBuffer(...) texture := device.CreateTexture(...) pipeline := device.CreateRenderPipeline(...) // Release in reverse order defer pipeline.Release() defer texture.Release() defer buffer.Release()

Always check errors:

// Check adapter request adapter, err := instance.RequestAdapter(...) if err != nil { return fmt.Errorf("failed to get adapter: %w", err) } // Check device creation device, err := adapter.CreateDevice(...) if err != nil { return fmt.Errorf("failed to create device: %w", err) } // Check shader compilation module, err := device.CreateShaderModule(...) if err != nil { return fmt.Errorf("shader error: %w", err) }

Use error scopes for detailed GPU error information:

device.PushErrorScope(wgpu.ErrorFilterValidation) // ... GPU operations ... device.PopErrorScope(func(err wgpu.Error) { if err != nil { log.Printf("GPU validation error: %v", err) } })

Status: Dependency on upstream security.

Risk Level: Low

Description: go-webgpu's security depends on wgpu-native. We track wgpu-native releases and update accordingly.

Status: Careful implementation with testing.

Risk Level: Medium

Description: FFI calls require careful pointer and memory management. We maintain extensive tests and linter checks.

Status: Platform-specific code paths tested.

Risk Level: Low

Description: Different platforms (Windows, Linux, macOS) have different loader and surface implementations.

go-webgpu dependencies:

Monitoring:

• Dependabot enabled for Go dependencies
• Track wgpu-native releases for security updates

• Unit tests for all public APIs
• Platform-specific tests (Windows, Linux, macOS)
• Memory leak detection in examples
• golangci-lint with security linters

• Fuzz testing for FFI boundaries
• Integration tests with various GPU drivers
• Security-focused code review

Initial release - No security issues reported yet.

• GitHub Security Advisory: https://github.com/go-webgpu/webgpu/security/advisories/new
• Public Issues (for non-sensitive bugs): https://github.com/go-webgpu/webgpu/issues
• Discussions: https://github.com/go-webgpu/webgpu/discussions

go-webgpu does not currently have a bug bounty program. We rely on responsible disclosure from the security community.

If you report a valid security vulnerability:

• Public credit in security advisory (if desired)
• Acknowledgment in CHANGELOG
• Our gratitude and recognition in README

Thank you for helping keep go-webgpu secure!

Security is a journey, not a destination. We continuously improve our security posture with each release.