The branch master has been updated via b2b47654bac1dd2793ad8eecd02b3ff832f084c4 (commit) from a75e0423f02a7c5c89874befd98512f867a56c28 (commit)
- Log ----------------------------------------------------------------- commit b2b47654bac1dd2793ad8eecd02b3ff832f084c4 Author: Mark J. Cox <m...@awe.com> Date: Mon Sep 28 13:07:43 2015 +0100 Update security policy as agreed to include a new critical level, for background see associated blog post ----------------------------------------------------------------------- Summary of changes: policies/secpolicy.html | 51 +++++++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/policies/secpolicy.html b/policies/secpolicy.html index 832510d..e75ca67 100644 --- a/policies/secpolicy.html +++ b/policies/secpolicy.html @@ -12,7 +12,7 @@ <header> <h2>Security Policy</h2> <h5> - Last modified 7th September 2014 + Last modified 28th September 2015 </h5> </header> <div class="entry-content"> @@ -110,6 +110,36 @@ We divide the issues into the following categories:</p> <ul> + <li><em>CRITICAL Severity.</em> + This affects common configurations and which are also likely to + be exploitable. Examples include significant disclosure of the + contents of server memory (potentially revealing user details), + vulnerabilities which can be easily exploited remotely to + compromise server private keys (excluding local, theoretical or + difficult to exploit side channel attacks) or where remote code + execution is considered likely in common situations. These + issues will be kept private and will trigger a new release of + all supported versions. We will attempt to address these as + soon as possible.</li> + + <li> + <em>HIGH Severity.</em> + This includes issues that are of a lower risk than critical, + perhaps due to affecting less common configurations, or which + are less likely to be exploitable. These issues will be kept + private and will trigger a new release of all supported + versions. We will attempt to keep the time these issues are + private to a minimum; our aim would be no longer than a month + where this is something under our control</li> + + <li> + <em>MODERATE Severity.</em> + This includes issues like crashes in client applications, + flaws in protocols that are less commonly used (such as DTLS), + and local flaws. These will in general be kept private until + the next release, and that release will be scheduled so that it + can roll up several such flaws at one time.</li> + <li> <em>LOW Severity.</em> This includes issues such as those that only affect the @@ -120,23 +150,6 @@ will update the vulnerabilities page and note the issue CVE in the changelog and commit message, but they may not trigger new releases.</li> - <li> - <em>MODERATE Severity.</em> - This includes issues like crashes in client applications, - flaws in protocols that are less commonly used (such as DTLS), - and local flaws. These will in general be kept private until - the next release, and that release will be scheduled so that it - can roll up several such flaws at one time.</li> - <li><em>HIGH Severity.</em> - This includes issues affecting common configurations which are - also likely to be exploitable. Examples include a server DoS, a - significant leak of server memory, and remote code execution. - These issues will be kept private and will trigger a new release - of all supported versions. We will attempt to keep the time - these issues are private to a minimum; our aim would be no - longer than a month where this is something under our control, - and significantly quicker if there is a significant risk or we - are aware the issue is being exploited.</li> </ul> <p>During the investigation of issues we may work with individuals @@ -161,7 +174,7 @@ to handle triaging our announcement and what it means to their organisation.</p> - <p>For updates that include high severity issues we will + <p>For updates that include critical or high severity issues we will also prenotify with more details and patches. Our policy is to let the organisations that have a general purpose OS that uses OpenSSL have a few days notice in order to prepare _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits