Hello,

In the curl security team we assign "severity" to reported security vulnerabilites and we have chosen to explictly opt out from using any form of numerical scoring. We use Low, Medium, High and Critical.

This system has not been properly documented, and I want to improve this and I have therefore tried to draft a first version trying to explain how we reason when setting the severities we do. Usually of course basing our judgement on how we decided for previous issues.

The descriptions for the various levels is fairly vague right now, but I am not sure we can make them very specific. I have looked at how they are defined in other projects and I have not found a set that I wanted to copy and use "wholesale".

Thoughts and improvements welcome!

https://github.com/curl/curl/pull/10118

--

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to