Hi, In the absence of any objections, we'll update the guidelines to reflect the edits below (in bold). The focus here is to bring us inline with industry ratings (having spoken to Microsoft and looking at Mozilla's guidelines). The key change is to rate sandbox escape issues as "High".
Cheers Chris Severity Guidelines for Security Issues Although the Chromium project itself does not rate security vulnerabilities, vendors shipping products based on Chromium might wish to rate the severity of security issues in the products they release. This document contains guidelines for how to rate these issues. We recommend vendors rate security vulnerabilities using one of four severity levels: critical, high, medium, and low.Critical A vulnerability is critical if the vulnerability lets an attacker run arbitrary code with the user's privileges in the normal course of browsing. For example, an uncontrolled buffer overflow in the browser process should typically be rated critical, especially if a malicious web site can directly control the contents of the buffer. We recommend rating most memory safety issues in the browser process as critical unless the possibility of arbitrary code execution can be ruled out. However, not all crashes indicate a critical vulnerability. For example, Chromium is designed to crash in a controlled manner (e.g., with a __debugBreak) when memory is exhausted or in other exceptional circumstances. Also, an arbitrary code execution vulnerability that requires an unusual user action (such as printing a certificate error message) should typically not be rated as critical. High A vulnerability is of high severity if the vulnerability lets an attacker read or modify confidential data belonging to other web sites. For example, an issue that lets the attacker circumvent the same-origin policy should typically be rated high. Additionally, we recommend rating issues that let an attacker execute arbitrary code within the confines of the sandbox as high because the sandbox is designed to limit the privileges of a compromised rendering engine. Vulnerabilities that interfere with browser security features are also high severity. For example, issues that let attackers suppress SafeBrowsing warnings warrant a high rating because they can be combined with other vulnerabilities to cause serious harm to users. Similarly, vulnerabilities that disrupt other browser security indicators, such as the location bar and lock icon, are also high severity. (Note that the status bubble is not a security indicator.) *We also recommend rating vulnerabilities in the implementation of the sandbox as high even though these vulnerabilities are not typically accessible unless the attacker can also compromise the rendering engine.* *Medium* A vulnerability is of medium severity if the vulnerability lets an attacker obtain only limited amounts or kinds of information. For example, an issue that lets the attacker enumerate recently visited URLs should typically be rated medium. An issue that is not harmful in and of itself but that can be combined with other vulnerabilities to cause harm will usually warrant a medium severity. For example, ignoring a "do not cache" directive might not itself be harmful but might facilitate other attacks. Additionally, otherwise *higher* severity issues that require some unusual user action (such as terminating a tab's process while in full-screen mode) will typically be rated as medium severity. Low A vulnerability is of low severity if the vulnerability grants the attacker only temporary control over non-critical browser features. For example, an issue that lets the attacker hang the browser is a low severity issue. (Note that tab hangs are not security issues if they can be resolved simply by closing the tab.) Also, security improvements that are not necessarily vulnerabilities (like not saving the password portion of URLs in browser history) should also typically be rated as low severity. In general, users should be able to use a browser with low severity issues for extended periods of time without many adverse effects. -- Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev
