Hello Sandro, On Fri, Sep 19, 2014 at 09:05:08PM +0100, Sandro Tosi wrote: > > Please consider assigning an appropriate category to this kind of > > problem and offer the user to set the security tag on the affected > > report. > > Can you please clarify what is this "category" you're describing? is > it an additional severity (like "critical", "grave", "minor", etc) or > a tag (like "ipv6", "lfs", etc)?
I was unsure where to put it, and reading the categories' descriptions, nothing seemed to fit: Such a problem usually does not introduce a local root and also not a local user exploit, as far as I can see, as usually only unrelated third parties are directly affected - and the user who runs such software will only be indirectly affected by having his site appear on various lists he might not want to be on, damaging his reputation. These are the descriptions associated with grave and serious. Whether one would want an additional category, or alter the definition of one of the existing categories to cover this case, I am indifferent to that, but if we are going the latter route, a specific tag would be nice. > From what you describe, I think the right categorization for now is: > severity=critical, tags=security - what would be the advantage of > introducing a more fine grained categorization for those issues? To me, "critical" seemed to be reserved for root exploits. But the attacker does not gain root, and may not even be able to alter any data on the computer, while still using a computer with the vulnerable software to cause harm to unrelated third parties. Kind regards, --Toni++ _______________________________________________ Reportbug-maint mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reportbug-maint
