Lapdog handles updates through its patching system. Patches are distributed automatically to all Lapdog Engine Projects since version 0.18.0. There are still some projects which are running older versions which cannot receive automatic updates. It is imperative that project administrators ensure they update their projects to at least 0.18.0 so that their projects begin receiving automatic updates
If you think you have found a vulnerability which effects the security or integrity of Lapdog, please carefully follow these steps:
- DO NOT open an issue on GitHub or otherwise publicly post about the vulnerability
- Reporting any security vulnerability should follow the principles of Responsible Disclosure.
- Please send an email to
[email protected]and CC[email protected]and[email protected]- Describe the problem in as much detail as possible
- Someone will get back to you ASAP
Here are some example criteria of security vulnerabilities. If you think your bug can be described by any of the following, treat it as a security vulnerability:
- Allows users to access data they otherwise could not access, particularly data belonging to other users
- Allows users to directly access or modify cloud components that they do not have
permissions to access or modify directly. Particularly:
- Ability to modify the source code or IAM policies of cloud functions
- Ability to modify the IAM policies of the project
- Ability to access the core signing account's access key
- Ability to utilize any compute resource besides resources provisioned through normal job execution
- Ability to modify the configuration of any compute networks or subnetworks
- Ability to create, list, or cancel any genomics operations (all users have
GETaccess to operations) - Ability to authenticate as any service account in the project
- Allows users to run arbitrary code outside the context of the docker container for a workflow
- Allows users to modify or falsify a Lapdog Resolution (which ties a Firecloud Namespace to a particular project)