The primary security goal of V8 is to safely execute untrusted JavaScript and WebAssembly.
V8 follows Chromium's security guidelines.
To be eligible for the Chrome VRP, report security bugs via Google Bughunters (Chrome VRP).
Otherwise, directly report security issues using the Buganizer form. To speed up triaging, set the component to Blink>JavaScript and include the security intake list.
AI agents seeking general Chromium security guidelines should consult the Security for Agents guide first.
V8 defines its security boundaries based on two distinct execution models:
- Language security: Untrusted script execution (JavaScript, WebAssembly, or validated runtime helpers) must never lead to memory corruption, or cross-origin violations that are enforced together with the Blink rendering engine or other embedders. To make this concrete: V8 does not control which origins may be isolated in separate processes but must provide access checks when asked for over its own APIs.
- V8 Sandbox: Under the assumption that an attacker has arbitrary read/write access inside the sandbox memory space (and arbitrary read access on the entire process), they must not be able to obtain malicious write access outside of it.
- Reproducing Security Bugs: Instructions on verifying bugs using
--run-as-security-pocand--run-as-sandbox-security-poc. - Triaging Security Bugs: Detailed classification logic, label conventions, and common resolution paths.
- V8 Sandbox: Design documentation, sandbox testing API, and table architectures.
- V8 Inspector Security: CDP security boundaries,
inspector-testconstraints, and severity guidelines.