Hello,
In the curl security team we assign "severity" to reported security
vulnerabilites and we have chosen to explictly opt out from using any form of
numerical scoring. We use Low, Medium, High and Critical.
This system has not been properly documented, and I want to improve this and I
have therefore tried to draft a first version trying to explain how we reason
when setting the severities we do. Usually of course basing our judgement on
how we decided for previous issues.
The descriptions for the various levels is fairly vague right now, but I am
not sure we can make them very specific. I have looked at how they are defined
in other projects and I have not found a set that I wanted to copy and use
"wholesale".
Thoughts and improvements welcome!
https://github.com/curl/curl/pull/10118
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
