From: Daniel Stenberg Date: Mon, 19 Dec 2022 17:04:11 +0000 (+0100) Subject: SECURITY-PROCESS.md: document severity levels X-Git-Tag: curl-7_88_0~247 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07dfbc08bfb4322b257d6fae775451ec58e63c80;p=thirdparty%2Fcurl.git SECURITY-PROCESS.md: document severity levels Closes #10118 --- diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index 96d6bec42e..5ccde42bd6 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -134,6 +134,50 @@ has been published. See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the bug bounty program. +# Severity levels + +The curl project's security team rates security problems using four severity +levels depending how serious we consider the problem to be. We use **Low**, +**Medium**, **High** and **Critical**. We refrain from using numerical scoring +of vulnerabilities. + +When deciding severity level on a particular issue, we take all the factors +into account: attack vector, attack complexity, required privileges, necessary +build configuration, protocols involved, platform specifics and also what +effects a possible exploit or trigger of the issue can lead do, including +confidentiality, integrity or availability problems. + +## Low + +This is a security problem that is truly hard or unlikely to exploit or +trigger. Due to timing, platform requirements or the fact that options or +protocols involved are rare etc. [Past +example](https://curl.se/docs/CVE-2022-43552.html) + +## Medium + +This is a security problem that is less hard than **Low** to exploit or +trigger. Less strict timing, wider platforms availability or involving more +widely used options or protocols. A problem that usually needs something else +to also happen to become serious. [Past +example](https://curl.se/docs/CVE-2022-32206.html) + +## High + +This issue in itself a serious problem with real world impact. Flaws that can +easily compromise the confidentiality, integrity or availability of resources. +Exploiting or triggering this problem is not hard. [Past +example](https://curl.se/docs/CVE-2019-3822.html) + +## Critical + +Easily exploitable by a remote unauthenticated attacker and lead to system +compromise (arbitrary code execution) without requiring user interaction, with +a common configuration on a popular platform. This issue has few restrictions +and requirements and can be exploited easily using most curl configurations. + +No past curl vulnerability has had this severity level. + # Not security issues This is an incomplete list of issues that are not considered vulnerabilities.