luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY-PROCESS.md: document severity levels

Browse Source 
Closes #10118
This commit is contained in:
Daniel Stenberg 2022-12-19 18:04:11 +01:00
parent 5d0cad97a6
commit 07dfbc08bf
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
docs/SECURITY-PROCESS.md
View File

@ -134,6 +134,50 @@ has been published.
See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
bug bounty program.
# Severity levels
The curl project's security team rates security problems using four severity
levels depending how serious we consider the problem to be. We use **Low**,
**Medium**, **High** and **Critical**. We refrain from using numerical scoring
of vulnerabilities.
When deciding severity level on a particular issue, we take all the factors
into account: attack vector, attack complexity, required privileges, necessary
build configuration, protocols involved, platform specifics and also what
effects a possible exploit or trigger of the issue can lead do, including
confidentiality, integrity or availability problems.
## Low
This is a security problem that is truly hard or unlikely to exploit or
trigger. Due to timing, platform requirements or the fact that options or
protocols involved are rare etc. [Past
example](https://curl.se/docs/CVE-2022-43552.html)
## Medium
This is a security problem that is less hard than **Low** to exploit or
trigger. Less strict timing, wider platforms availability or involving more
widely used options or protocols. A problem that usually needs something else
to also happen to become serious. [Past
example](https://curl.se/docs/CVE-2022-32206.html)
## High
This issue in itself a serious problem with real world impact. Flaws that can
easily compromise the confidentiality, integrity or availability of resources.
Exploiting or triggering this problem is not hard. [Past
example](https://curl.se/docs/CVE-2019-3822.html)
## Critical
Easily exploitable by a remote unauthenticated attacker and lead to system
compromise (arbitrary code execution) without requiring user interaction, with
a common configuration on a popular platform. This issue has few restrictions
and requirements and can be exploited easily using most curl configurations.
No past curl vulnerability has had this severity level.
# Not security issues
This is an incomplete list of issues that are not considered vulnerabilities.