[openssl-commits] [web] master update

[Mark J . Cox]

The branch master has been updated
       via  b2b47654bac1dd2793ad8eecd02b3ff832f084c4 (commit)
      from  a75e0423f02a7c5c89874befd98512f867a56c28 (commit)


- Log -----------------------------------------------------------------
commit b2b47654bac1dd2793ad8eecd02b3ff832f084c4
Author: Mark J. Cox <m...@awe.com>
Date:   Mon Sep 28 13:07:43 2015 +0100

    Update security policy as agreed to include a new critical level, for
    background see associated blog post

-----------------------------------------------------------------------

Summary of changes:
 policies/secpolicy.html | 51 +++++++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/policies/secpolicy.html b/policies/secpolicy.html
index 832510d..e75ca67 100644
--- a/policies/secpolicy.html
+++ b/policies/secpolicy.html
@@ -12,7 +12,7 @@
          <header>
            <h2>Security Policy</h2>
            <h5>
-             Last modified 7th September 2014
+             Last modified 28th September 2015
            </h5>
        </header>
          <div class="entry-content">
@@ -110,6 +110,36 @@
            We divide the issues into the following categories:</p>
 
            <ul>
+              <li><em>CRITICAL Severity.</em>
+              This affects common configurations and which are also likely to
+              be exploitable. Examples include significant disclosure of the
+              contents of server memory (potentially revealing user details),
+              vulnerabilities which can be easily exploited remotely to
+              compromise server private keys (excluding local, theoretical or
+              difficult to exploit side channel attacks) or where remote code
+              execution is considered likely in common situations.  These
+              issues will be kept private and will trigger a new release of
+              all supported versions.  We will attempt to address these as
+              soon as possible.</li>
+
+             <li>
+              <em>HIGH Severity.</em>
+              This includes issues that are of a lower risk than critical,
+              perhaps due to affecting less common configurations, or which
+              are less likely to be exploitable.  These issues will be kept
+              private and will trigger a new release of all supported
+              versions.  We will attempt to keep the time these issues are
+              private to a minimum; our aim would be no longer than a month
+              where this is something under our control</li>
+              
+             <li>
+             <em>MODERATE Severity.</em>
+             This includes issues like crashes in client applications,
+             flaws in protocols that are less commonly used (such as DTLS),
+             and local flaws.  These will in general be kept private until
+             the next release, and that release will be scheduled so that it
+             can roll up several such flaws at one time.</li>
+              
              <li>
              <em>LOW Severity.</em>
              This includes issues such as those that only affect the
@@ -120,23 +150,6 @@
              will update the vulnerabilities page and note the issue CVE in
              the changelog and commit message, but they may not trigger new
              releases.</li>
-             <li>
-             <em>MODERATE Severity.</em>
-             This includes issues like crashes in client applications,
-             flaws in protocols that are less commonly used (such as DTLS),
-             and local flaws.  These will in general be kept private until
-             the next release, and that release will be scheduled so that it
-             can roll up several such flaws at one time.</li>
-             <li><em>HIGH Severity.</em>
-             This includes issues affecting common configurations which are
-             also likely to be exploitable.  Examples include a server DoS, a
-             significant leak of server memory, and remote code execution.
-             These issues will be kept private and will trigger a new release
-             of all supported versions.  We will attempt to keep the time
-             these issues are private to a minimum; our aim would be no
-             longer than a month where this is something under our control,
-             and significantly quicker if there is a significant risk or we
-             are aware the issue is being exploited.</li>
            </ul>
 
            <p>During the investigation of issues we may work with individuals
@@ -161,7 +174,7 @@
            to handle triaging our announcement and what it means to
            their organisation.</p>
 
-           <p>For updates that include high severity issues we will
+           <p>For updates that include critical or high severity issues we will
            also prenotify with more details and patches.  Our policy
            is to let the organisations that have a general purpose OS
            that uses OpenSSL have a few days notice in order to prepare
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits