See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
bug bounty program.
+# Severity levels
+
+The curl project's security team rates security problems using four severity
+levels depending how serious we consider the problem to be. We use **Low**,
+**Medium**, **High** and **Critical**. We refrain from using numerical scoring
+of vulnerabilities.
+
+When deciding severity level on a particular issue, we take all the factors
+into account: attack vector, attack complexity, required privileges, necessary
+build configuration, protocols involved, platform specifics and also what
+effects a possible exploit or trigger of the issue can lead do, including
+confidentiality, integrity or availability problems.
+
+## Low
+
+This is a security problem that is truly hard or unlikely to exploit or
+trigger. Due to timing, platform requirements or the fact that options or
+protocols involved are rare etc. [Past
+example](https://curl.se/docs/CVE-2022-43552.html)
+
+## Medium
+
+This is a security problem that is less hard than **Low** to exploit or
+trigger. Less strict timing, wider platforms availability or involving more
+widely used options or protocols. A problem that usually needs something else
+to also happen to become serious. [Past
+example](https://curl.se/docs/CVE-2022-32206.html)
+
+## High
+
+This issue in itself a serious problem with real world impact. Flaws that can
+easily compromise the confidentiality, integrity or availability of resources.
+Exploiting or triggering this problem is not hard. [Past
+example](https://curl.se/docs/CVE-2019-3822.html)
+
+## Critical
+
+Easily exploitable by a remote unauthenticated attacker and lead to system
+compromise (arbitrary code execution) without requiring user interaction, with
+a common configuration on a popular platform. This issue has few restrictions
+and requirements and can be exploited easily using most curl configurations.
+
+No past curl vulnerability has had this severity level.
+
# Not security issues
This is an incomplete list of issues that are not considered vulnerabilities.
projects / thirdparty / curl.git / commitdiff
