Nit: under High, " Additionally, we will usually rate issues that let an attacker execute arbitrary code in the sandbox as high because the sandbox limits the privileges of a compromised rendering engine." sandbox limits -> sandbox is designed to limit. (Lawyers are rubbing off on me.)
2009/5/7 Adam Barth <[email protected]> > > Recently some folks have asked how we decide what severity to rate > each security vulnerability. Thus far, we've mostly been using an > informal process, but it seemed like a good idea to spell out our > policy publicly. Below is a draft of some guidelines for assigning > severities to security issues. Please let me know if you have any > feedback. Once the draft stabilizes, we'll find a home for the > guidelines on dev.chromium.org. > > http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm > > This document is heavily influenced by Mozilla's guidelines for rating > security vulnerabilities, which you can find at > <https://wiki.mozilla.org/Security_Severity_Ratings>. The main > difference is that the above document explains how the severity of > security issues interacts with the sandbox. > > Thanks! > Adam > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
