MozillaWiki

Security Severity Ratings/Client: Difference between revisions

Page Discussion

Security Severity Ratings/Client (view source)

Revision as of 18:45, 15 May 2024

40 bytes added ,  15 May 2024
Repaired missing links in the introduction; minor section-grouping change for "Alternate Keywords"
(Added csectype-framepoisoning, csectype-nullptr, csectype-race, csectype-sidechannel, csectype-spoof. Removed csectype-ui-redress.)
(Repaired missing links in the introduction; minor section-grouping change for "Alternate Keywords")
Line 1: Line 1:
__TOC__
__TOC__


The page pertains specifically to Client Applications: the Firefox web browser and mobile applications.  For severity ratings for Mozilla Servers and Web Properties, see this corresponding page. For details about the bug bounty for the Firefox browser, and specific other applications, see [this page]. For details about the bug bounty for Mozilla Servers and Web Properties, see [this page].
The page pertains specifically to Client Applications: the Firefox web browser and mobile applications.  For severity ratings for Mozilla Servers and Web Properties see [[Security_Severity_Ratings/Web]]. For details about Mozilla's bug bounty program please visit the [https://www.mozilla.org/en-US/security/bug-bounty/ bounty pages] on our official site.


==Severity Ratings ==
==Severity Ratings ==
Line 70: Line 70:
|}
|}


==Additional Status Codes, Whiteboard Tracking Tags & Flags==
If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the keywords may instead contain one of the following security status codes.


=== Alternate Keywords ===
=== Alternate Keywords ===


Often none of the above severity ratings apply to a bug, because it is not a vulnerability but nonetheless is security sensitive and needs to be kept private. These keywords apply to those.
Sometimes none of the above severity ratings apply to a bug because it is not a vulnerability itself, but nonetheless is security-sensitive for other reasons and needs to be kept private. These keywords apply to those.


While we request that only the security team assign <u>sec-high</u> and similar ratings, we encourage you tag things <u>sec-want</u> and <u>sec-audit</u> if you feel it applies.
While we request that only the security team assign <u>sec-high</u> and similar ratings, we encourage you tag things <u>sec-want</u> and <u>sec-audit</u> if you feel it applies.
Line 124: Line 121:


A historical keyword is <b>sec-incident</b>, which is no longer used.
A historical keyword is <b>sec-incident</b>, which is no longer used.
==Additional Security Keywords, Whiteboard Tracking Tags & Flags==
In addition to characterizing the severity of an issue with the <code>sec-</code> keywords, we also have sub-type keywords, whiteboard tags (standardized string), and flags we can use to further characterize a security issue.


=== csectype- Keywords ===
=== csectype- Keywords ===
Dveditz
canmove, Confirmed users
637

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1250821"