[chromium-dev] Re: Severity Guidelines for Security Issues
Thanks for all your comments. The guidelines are now posted at: http://dev.chromium.org/developers/severity-guidelines Adam On Thu, May 7, 2009 at 11:41 PM, Adam Barth aba...@chromium.org wrote: Recently some folks have asked how we decide what severity to rate each security vulnerability. Thus far, we've mostly been using an informal process, but it seemed like a good idea to spell out our policy publicly. Below is a draft of some guidelines for assigning severities to security issues. Please let me know if you have any feedback. Once the draft stabilizes, we'll find a home for the guidelines on dev.chromium.org. http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm This document is heavily influenced by Mozilla's guidelines for rating security vulnerabilities, which you can find at https://wiki.mozilla.org/Security_Severity_Ratings. The main difference is that the above document explains how the severity of security issues interacts with the sandbox. Thanks! Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Severity Guidelines for Security Issues
Nit: under High, Additionally, we will usually rate issues that let an attacker execute arbitrary code in the sandbox as high because the sandbox limits the privileges of a compromised rendering engine. sandbox limits - sandbox is designed to limit. (Lawyers are rubbing off on me.) 2009/5/7 Adam Barth aba...@chromium.org Recently some folks have asked how we decide what severity to rate each security vulnerability. Thus far, we've mostly been using an informal process, but it seemed like a good idea to spell out our policy publicly. Below is a draft of some guidelines for assigning severities to security issues. Please let me know if you have any feedback. Once the draft stabilizes, we'll find a home for the guidelines on dev.chromium.org. http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm This document is heavily influenced by Mozilla's guidelines for rating security vulnerabilities, which you can find at https://wiki.mozilla.org/Security_Severity_Ratings. The main difference is that the above document explains how the severity of security issues interacts with the sandbox. Thanks! Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Severity Guidelines for Security Issues
Thanks. Fixed. Adam On Fri, May 8, 2009 at 11:42 AM, Ian Fette i...@chromium.org wrote: Nit: under High, Additionally, we will usually rate issues that let an attacker execute arbitrary code in the sandbox as high because the sandbox limits the privileges of a compromised rendering engine. sandbox limits - sandbox is designed to limit. (Lawyers are rubbing off on me.) 2009/5/7 Adam Barth aba...@chromium.org Recently some folks have asked how we decide what severity to rate each security vulnerability. Thus far, we've mostly been using an informal process, but it seemed like a good idea to spell out our policy publicly. Below is a draft of some guidelines for assigning severities to security issues. Please let me know if you have any feedback. Once the draft stabilizes, we'll find a home for the guidelines on dev.chromium.org. http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm This document is heavily influenced by Mozilla's guidelines for rating security vulnerabilities, which you can find at https://wiki.mozilla.org/Security_Severity_Ratings. The main difference is that the above document explains how the severity of security issues interacts with the sandbox. Thanks! Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---