MindSpore is a training and inference framework that supports device, edge, and cloud scenarios. It is widely used in various fields, such as terminals, edge computing, cloud services, network devices, storage devices, and 5G, and needs to meet application security requirements in preceding scenarios.
As a general-purpose computing framework, MindSpore can run on different chip platforms such as the CPU, GPU, and Ascend. Users provide data or models as the input and obtain training models or inference results. As core assets in the AI field, data and models are necessary for continuous security protection of AI systems.
We also provide suggestions on secure running of key components:
To build a more secure AI framework, we sincerely invite you to join us.
If you find a suspected security issue, use Suspected Security Issue Reporting Template to report it so that the community vulnerability management team (VMT) is able to confirm and fix the issue as soon as possible with sufficient details. Your email will be confirmed within one working day. Within seven days, we will provide more detailed replies to your suspected security issues and provide the next-step handling policy.
To ensure security, please use the PGP public key to encrypt your email before sending it.
After receiving the issues, we will handle the security issues according to the following process:
The VMT consists of vulnerability management experts in the community. The team is responsible for coordinating the entire process from vulnerability receiving to disclosure, including:
|CVE list||Third party version||Suggestion|
|CVE-2019-18348, CVE-2020-8315, CVE-2020-8492, CVE-2020-27619, CVE-2021-3426, CVE-2021-23336||Python 3.7.5|
|CVE-2019-19911, CVE-2020-5310, CVE-2020-5311, CVE-2020-5312, CVE-2020-5313||Pillow < 6.2.2||Upgrade to latest Pillow (8.2.0)|
|CVE-2020-10177, CVE-2020-10378, CVE-2020-10379, CVE-2020-10994, CVE-2020-11538||Pillow < 7.1.0||Upgrade to latest Pillow (8.2.0)|
|CVE-2020-15999||Pillow < 8.0.1||Upgrade to latest Pillow (8.2.0)|
|CVE-2020-35653, CVE-2020-35654, CVE-2020-35655,||Pillow < 8.1.0||Upgrade to latest Pillow (8.2.0)|
|CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921, CVE-2021-27922, CVE-2021-27923||Pillow < 8.1.1||Upgrade to latest Pillow (8.2.0)|
|CVE-2021-25287, CVE-2021-25288, CVE-2021-28675, CVE-2021-28676, CVE-2021-28677, CVE-2021-28678||Pillow < 8.2.0||Upgrade to latest Pillow (8.2.0)|