[chromium-dev] Re: Severity Guidelines for Security Issues

2009-05-08 Thread Ian Fette 
Nit: under High, " Additionally, we will usually rate issues that let an
attacker execute arbitrary code in the sandbox as high because the sandbox
limits the privileges of a compromised rendering engine."
sandbox limits -> sandbox is designed to limit. (Lawyers are rubbing off on
me.)

2009/5/7 Adam Barth 

>
> Recently some folks have asked how we decide what severity to rate
> each security vulnerability.  Thus far, we've mostly been using an
> informal process, but it seemed like a good idea to spell out our
> policy publicly.  Below is a draft of some guidelines for assigning
> severities to security issues.  Please let me know if you have any
> feedback.  Once the draft stabilizes, we'll find a home for the
> guidelines on dev.chromium.org.
>
> http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm
>
> This document is heavily influenced by Mozilla's guidelines for rating
> security vulnerabilities, which you can find at
> .  The main
> difference is that the above document explains how the severity of
> security issues interacts with the sandbox.
>
> Thanks!
> Adam
>
> >
>

--~--~-~--~~~---~--~~
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
http://groups.google.com/group/chromium-dev
-~--~~~~--~~--~--~---

[chromium-dev] Re: Severity Guidelines for Security Issues

2009-05-08 Thread Adam Barth 

Thanks.  Fixed.

Adam


On Fri, May 8, 2009 at 11:42 AM, Ian Fette  wrote:
> Nit: under High, " Additionally, we will usually rate issues that let an
> attacker execute arbitrary code in the sandbox as high because the sandbox
> limits the privileges of a compromised rendering engine."
> sandbox limits -> sandbox is designed to limit. (Lawyers are rubbing off on
> me.)
>
> 2009/5/7 Adam Barth 
>>
>> Recently some folks have asked how we decide what severity to rate
>> each security vulnerability.  Thus far, we've mostly been using an
>> informal process, but it seemed like a good idea to spell out our
>> policy publicly.  Below is a draft of some guidelines for assigning
>> severities to security issues.  Please let me know if you have any
>> feedback.  Once the draft stabilizes, we'll find a home for the
>> guidelines on dev.chromium.org.
>>
>> http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm
>>
>> This document is heavily influenced by Mozilla's guidelines for rating
>> security vulnerabilities, which you can find at
>> .  The main
>> difference is that the above document explains how the severity of
>> security issues interacts with the sandbox.
>>
>> Thanks!
>> Adam
>>
>> >>
>
>

--~--~-~--~~~---~--~~
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
http://groups.google.com/group/chromium-dev
-~--~~~~--~~--~--~---

[chromium-dev] Re: Severity Guidelines for Security Issues

2009-05-12 Thread Adam Barth 

Thanks for all your comments.  The guidelines are now posted at:

http://dev.chromium.org/developers/severity-guidelines

Adam


On Thu, May 7, 2009 at 11:41 PM, Adam Barth  wrote:
> Recently some folks have asked how we decide what severity to rate
> each security vulnerability.  Thus far, we've mostly been using an
> informal process, but it seemed like a good idea to spell out our
> policy publicly.  Below is a draft of some guidelines for assigning
> severities to security issues.  Please let me know if you have any
> feedback.  Once the draft stabilizes, we'll find a home for the
> guidelines on dev.chromium.org.
>
> http://docs.google.com/Doc?id=dd4p8wc4_11cxwzfqfm
>
> This document is heavily influenced by Mozilla's guidelines for rating
> security vulnerabilities, which you can find at
> .  The main
> difference is that the above document explains how the severity of
> security issues interacts with the sandbox.
>
> Thanks!
> Adam
>

--~--~-~--~~~---~--~~
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
http://groups.google.com/group/chromium-dev
-~--~~~~--~~--~--~---