By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Container Toolkit Scope

The implementation using the NVIDIA Container Runtime Hook, NVIDIA Container CLI, and NVIDIA Container Library is considered deprecated and is effectively in maintenance mode. With this in mind, although critical vulnerabilities in this stack will be addressed, focus on the new CDI-based architecture is appreciated.

CUDA Toolkit Scope

Focus areas and Special Interests

• We are specifically looking for vulnerabilities which include local privilege escalation.
• The CUDA Toolkit includes software that is run only by CUDA developers (such as the nvcc compiler) and software that runs as part of a CUDA program deployed to users (such as libraries linked into CUDA programs). Vulnerabilities that impact users of CUDA programs are more valuable than those which only impact developers. A bug that requires the presence of the nvcc compiler is less valuable than one that impacts any CUDA binary built with CUDA libraries.
• We are looking for proof that you can use a bug to gain privilege. Making a program crash with a malformed input is not enough. We want to see that you can use the bug to execute code at a higher level of privilege than the user running the tool. For example, running code as a superuser or making the kernel driver take malicious action.
• As of July 1, 2025 GMT: DLL Highjacking related vulnerabilities will be classified as Tier 3 submissions

CUDA Toolkit Out of Scope

Asset Specific

• Null pointer issues
• Compiler Object Tools are not included in the compiler threat model, as they are not directly involved in the CUDA compilation flow. These are standalone development and diagnostic tools. Achieving an ACE on these tools does not have any security impact on the CUDA Toolkit or the compilers.

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

This program follows Intigriti's triage standards based on the proof of concept.

Please select one of the sections below and remove the sections that aren't applicable for you

Where can we get credentials for Container Toolkit?

• The app does not require credentials and is available as a fully open-source component: https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html

Where can we get credentials for CUDA Toolkit?

• You can self-register on the application but please don’t forget to use your @intigriti.me address.
• Join the NVIDIA Developer program: https://developer.nvidia.com/developer-program.
• And download the CUDA Toolkit for Linux or Windows: https://developer.nvidia.com/cuda-downloads.

Which Attack Vector Should be used in the CVSS Calculation?

• Always assume local access is required when evaluating vulnerabilities (Please set the CVSS attack vector to Local).
• Due to the nature of the CVSS calculator, vulnerabilities in that case can only reach a max severity of 9.3.
• As a result, exceptional and critical vulnerabilities within this program are eligible for the same bounty payout.