124
edits
Security Severity Ratings/Client: Difference between revisions
→Severity Ratings
(removing secopstype keyword section: it was moved to the "web" keywords page) |
|||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 27: | Line 27: | ||
|- | |- | ||
| | | | ||
* Memory Safety issues, unless constrained e.g. by OOM conditions | |||
* Theft of arbitrary files from local system | * Theft of arbitrary files from local system | ||
* | * Domain spoofing that affects the actual URL bar or prevents it from appearing; excluding fullscreen techniques | ||
* JavaScript injection into browser chrome or other origins | * JavaScript injection into browser chrome or other origins | ||
* Failure to use TLS where needed to ensure confidential/security | * Failure to use TLS where needed to ensure confidential/security | ||
* Sandbox escapes | * Sandbox escapes | ||
* Proxy bypass | * Proxy bypass | ||
* Disclosure of browsing history | * Disclosure of detailed browsing history | ||
* Launching of arbitrary local application with provided arguments | * Launching of arbitrary local application with provided arguments | ||
* Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue | * Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue | ||
| Line 46: | Line 44: | ||
|- | |- | ||
| | | | ||
* Private Browsing Mode data leaks | * Memory Safety issues caused by OOM conditions; unless precise triggering of the condition can be shown | ||
* Techniques that put the browser into fullscreen mode without user interaction or while obscuring the notification | |||
* Techniques that overlay the address bar with another piece of browser chrome to obscure it | |||
* Private Browsing Mode data leaks discoverable in the Browser UI (excepting user-directed actions like Bookmarks) | |||
* Private Browsing Mode data leaks to disk on Desktop | |||
* Disclosure of OS username | * Disclosure of OS username | ||
* Disclosure of browsing history through efficient and fast timing side channels | * Disclosure of more limited browsing history or browsing history through efficient and fast timing side channels | ||
* Detection of arbitrary local files | * Detection of arbitrary local files | ||
* Launching of arbitrary local application without arguments | * Launching of arbitrary local application without arguments | ||
| Line 59: | Line 61: | ||
|- | |- | ||
| | | | ||
* Private Browsing Mode data leaks to disk on Mobile, excepting data cleaned on startup due to process reaping | |||
* Techniques that cause a JavaScript alert to be shown with a different domain than the one in the address bar (or one of its nested browsing contexts) | |||
* Detection of a previous visit to a specific site, or when the affected site has a certain configuration | * Detection of a previous visit to a specific site, or when the affected site has a certain configuration | ||
* Identification of users by profiling browsing behavior. | * Identification of users by profiling browsing behavior. | ||
* Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages | * Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages | ||
* Most Denial of Service vulnerabilities, such as those requiring a browser restart | * Most Denial of Service vulnerabilities, such as triggering a release assertion or those requiring a browser restart | ||
|} | |} | ||
;'''Mitigating Circumstances''': | ;'''Mitigating Circumstances''': | ||
| Line 81: | Line 85: | ||
|- | |- | ||
| | | | ||
;'''sec-other''': sec-other is | ;'''sec-other''': sec-other is used for bugs that are not themselves exploitable security issues but may contain information about other security-sensitive issues that needs to be kept confidential. Note: if the private information is not related to security issues the bug should use "employee confidential" or some other group instead of "security-sensitive" | ||
{| class="wikitable collapsible " style="width: 100%" | {| class="wikitable collapsible " style="width: 100%" | ||
! ''sec-other Examples:'' | ! ''sec-other Examples:'' | ||
| Line 87: | Line 91: | ||
| | | | ||
* Gaps in fuzzing coverage to be addressed | * Gaps in fuzzing coverage to be addressed | ||
* | * Meta bugs tracking a group of related security issues | ||
* A non-security bug where an independent security issue was discovered during the investigation. The separate security issue should be addressed in a new bug, but the original issue needs to remain hidden until the security issue is resolved. | |||
|} | |} | ||
;'''sec-audit''': Bugs marked sec-audit are typically for tasks to investigate a particular component of concern, or pattern of concern. It should NEVER be used for an actual, identified vulnerability. Either a sec-audit bug should cause additional bugs to be opened for specific instances, or a specific bug should cause a sec-audit bug to be opened for investigating variants of the original. | ;'''sec-audit''': Bugs marked sec-audit are typically for tasks to investigate a particular component of concern, or pattern of concern. It should NEVER be used for an actual, identified vulnerability. Either a sec-audit bug should cause additional security bugs to be opened for specific instances, or a specific bug should cause a sec-audit bug to be opened for investigating variants of the original. | ||
{| class="wikitable collapsible " style="width: 100%" | {| class="wikitable collapsible " style="width: 100%" | ||
! ''sec-audit Examples:'' | ! ''sec-audit Examples:'' | ||