NVIDIA is dedicated to the security and trust of our software products and services, including all source code repositories managed through our organization.

If you need to report a security issue, please use the appropriate contact points outlined below. Please do not report security vulnerabilities through GitHub/GitLab.

To report a potential security vulnerability in CUDA Python:

• Web: Security Vulnerability Submission Form
• E-Mail: psirt@nvidia.com
  • We encourage you to use the following PGP key for secure email communication: NVIDIA public PGP Key for communication
  • Please include the following information:
    • Product/Driver name and version/branch that contains the vulnerability
    • Type of vulnerability (code execution, denial of service, buffer overflow, etc.)
    • Instructions to reproduce the vulnerability
    • Proof-of-concept or exploit code
    • Potential impact of the vulnerability, including how an attacker could exploit the vulnerability

While NVIDIA currently does not have a bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy. Please visit our Product Security Incident Response Team (PSIRT) policies page for more information.

cuda.core.Buffer objects allocated from IPC-enabled memory resources can be pickled for transfer between same-host processes. Unpickling performs an IPC memory import using the embedded IPCBufferDescriptor. Only unpickle buffers (and call Buffer.from_ipc_descriptor) with descriptors from trusted peers; malicious descriptors can trigger invalid memory operations.

When sharing CUDA objects across processes, use multiprocessing with the spawn start method.

For all security-related concerns, please visit NVIDIA's Product Security portal at https://www.nvidia.com/en-us/security.