The WebKit Open Source Project

WebKit Security Policy

How To Report Security Bugs

  1. Reporting an issue: Start by filing a bug in the Security product in the WebKit bug database, at Bugs in the Security product will have special access controls that restrict who can view and alter the bug; only members of the WebKit Security Group and the originator will have access to the bug.
  2. Scope of disclosure: If you would like to limit further dissemination of the information in the bug report, please say so in the bug. Otherwise the WebKit Security Group may share information with other vendors if we find they may be affected by the same vulnerability. The WebKit Security Group will handle the information you provide responsibly. See the other sections of this document for details.
  3. Getting feedback: We cannot guarantee a prompt human response to every security bug filed. If you would like immediate feedback on a security issue, or would like to discuss details with members of the WebKit Security Group, please email and include a link to the relevant Bugzilla bug. Your message will be acknowledged within a week at most.

    The current member list will be published at

How To Join the WebKit Security Group

  1. Criteria: Nominees for WebKit Security Group membership should meet at least one of the following criteria:
    • The nominee specializes in fixing WebKit security related bugs or often participates in their exploration and resolution.
    • The nominee has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
    • The nominee is a web technology expert who has specific interests in knowing about, resolving, and preventing future security vulnerabilities.
    Vendor contacts:
    • The nominee represents an organization or company which ships products that include their own copy of WebKit. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes.
  2. Nomination process: Anyone who feels they meet these criteria can nominate themselves by mailing, or may be nominated by a third party such as an existing WebKit Security Group member. The nomination email should state whether the nominee is nominated as an individual or as a vendor contact and clearly describe the grounds for nomination.
  3. Choosing new members: If a nomination for Security Group membership is supported by at least three existing Security Group members (either one initial nomination and two seconds, or in the case of self-nomination, three seconds), then it carries within 5 business days unless an existing member of the Security Group objects. If an objection is raised, the WebKit Security Group members should discuss the matter and try to come to consensus; failing this, the nomination will succeed only by majority vote of the WebKit Security Group. After a vote is called for on the mailing list, voting will be open for 5 business days.
  4. Accepting membership: Before new WebKit Security Group membership is finalized, the successful nominee should accept membership and agree to abide by this security policy, particularly Privileges and Responsibilities of WebKit Security Group members.
  5. Duration of membership: Vendor contacts will only remain members as long as their position with that vendor remains the same. Individuals will remain members indefinitely until they resign or their membership is terminated.

Privileges and Responsibilities of WebKit Security Group Members

Termination of WebKit Security Group Membership

Changes to the Policy

The WebKit Security Policy may be changed in the future by rough consensus of the WebKit Security Group. Changes to the policy will be posted publicly.