Security Severity Ratings/Merge: Difference between revisions

Revision as of 17:23, 20 March 2012

Security bugs are rated by specifying "sec-<rating>" in the "Keyword" field in bugzilla. For example, a bug with a Critical security rating would be marked as "sec-critical".

Severity Ratings

Severity Ratings & Examples
The following items are keywords for the severity of an issue. sec-critical Run attacker code with local user privilege or install malicious software, requiring no user interaction beyond normal browsing. Examples: Overflows resulting in native code execution JavaScript injection into browser chrome Launching of arbitrary local application with provided arguments Filetype spoofing where executables can masquerade as benign content types Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue Any crash where random memory or NULL is executed (the top of the stack is not a function) Any crash where random memory is accessed Any bug where random memory is written to is critical Any bug where random memory is read from and then used in a subsequent memory or jump operation (offset, array, etc) is critical Exploitable vulnerabilities which can lead to the widespread compromise of many users. XSS (Stored) CSRF Code Injection Authentication Flaws (which lead to account compromise) Session Management Flaws (which lead to account compromise) sec-high Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions. Indefinite DoS of the user's system, requiring OS reinstallation or extensive cleanup. Exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users. Examples: Cross-site Scripting (XSS) Theft of arbitrary files from local system Spoofing of full URL bar or bypass of SSL integrity checks Memory read that results in data being written into an inert container (ie string or image) that is subsequently accessible to content XSS (Reflected) Failure to use TLS where needed to ensure confidential/security sec-moderate Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). Indefinite application Denial of Service (DoS) via corruption of state, requiring application re-installation or temporary DoS of the user's system, requiring reboot.Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. The lack of standard defense in depth techniques and security controls. Examples: Disclosure of OS username Disclosure of browser cache salt Disclosure of entire browsing history Detection of arbitrary local files Launching of arbitrary local application without arguments Local storage of passwords in unencrypted form Persistent DoS attacks that prevent the user from starting Firefox or another application in the future Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc) Error Handling Issues sec-low Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best practice security controls Examples: Detection of previous visit to a specific site Identification of users by profiling browsing behavior. Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages Lack of proper input validation (not resulting in XSS or injection) Content spoofing (non-html) Mitigating Circumstances If there are mitigating circumstances that severely reduce the effectiveness of the exploit, then the exploit could be reduced by one level of severity. Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or unusual software configuration. As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated.

Additional Security Status Codes

If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the whiteboard may instead contain one of the following security status codes.

Shared Keywords
Code	Description	Examples
sg-needinfo	Information contained within the bug is incomplete, and additional information from the original submitter is required to confirm the bug.	Ambiguous or incomplete bug description. Inconsistency in reproducing the issue
sg-nse	Bugs that may not be exploitable security issues but are kept confidential to protect sensitive information.	Bugs that contain sensitive information about the bug submitter or another user Bugs that are related to security issues currently unfixed in Mozilla products or other products
sg-audit	Bug requires a code audit to investigate potential security problems.	Look for pattern x in library y Audit file z for string buffer abuse.
sg-vector-X	Flaws in software not controlled by (shipped with) Firefox, but that can cause security problems for people browsing with Firefox.	Bugs in plugins Bugs in system libraries used by Firefox
sg-want	New features or improvement ideas related to security	User interface refinements Support for new types of authentication Code refactoring / cleanup
sg-incident	Issues resulting in an incident response or 'chemspill' actions by the security team.	Sever compromise Code issues that would cause client code to be respun.
sec-review-needed	A security review is needed for the bug, this could mean a variety of things. If there is no secr:<username> in the whiteboard the item has not been triaged and action is unknown. Once triaged a note will be placed in the bug as to the action to be taken
sec-review-complete	The security review / actions desired have been completed. This will result in either a link to the notes from security actions or a note from the assigned resource in the bug.

Group Keywords

Code

Description

Examples

[cs-

Client Security (ie. Firefox, Thunderbird, etc)

[cs-
Code	Description
[cs-buffer-overrun]	The identified flaw is a buffer overrun

[ws-

Web Security (Web Sites, Web Services, etc)

[ws-
Code	Description
[ws-xss]	The identified flaw is cross site scripting flaw

[opsec-

Operations Security (Mozilla owned & operated severs and services)

[opsec-
Code	Description
[opsec-access]	The identified issue is an access violation.

Whiteboard Tags
Code	Description	Examples
sg-assigned:UserAlias	This designates the assigned security resource that is accountable for actions to be taken on the designated item. When possible the bug will be assigned to the security contact for action. This will be used when that is not possible or practical.	[sg-assigned:curtisk] indicates that curtisk is the accountable party for action

Feature Page Codes
Code	Description	Examples
sec-review-needed	A security review is needed for the feature, this could mean a variety of things. If there is no <username> in the notes then a full review needs to be scheduled, if a <username> is present than that person will follow-up with the feature team on whatever task is needed.
sec-review-complete	The security review / actions desired have been completed. This will result in a link to the notes from security actions or a note from the assigned resource.
sec-review-active	There are active tasks associated with the review that are yet to be completed in order for the review to be seen as completed. These will be captured in the "Action Items" section of the review notes.
sec-review-sched	Security review tasks have been scheduled, if this is a full security review the date of the scheduled review will be present in the security notes.
sec-review-unnecessary	After triage it was felt the feature needed no review or security actions.
Security health: <blank>	There are no notes or status is unknown.	Color: <None>
Security health: OK	The tasks are on schedule or completed and are considered non-blocking.	Color: Green
Security health: Blocked	Some aspect of the security review has given cause to block the feature from further work or landing. The reasons will be listed in the security notes or linked to a larger review outcome for follow-up.	Color: Yellow
Security health: At Risk	Some aspect of the security review may cause the feature to be blocked or put the feature at risk of being off schedule.The reasons will be listed in the security notes or linked to a larger review outcome for follow-up.	Color: Red
Security health: Assigned	Security tasks have been assigned to a member of the team to followup. The name of this resource will be in the security notes.	Color: Teal

Priority Matrix (primarily OpSec)
Blocker Anything which is easily exploitable or reproducible and/or we are seeing active attempts to exploit. Anything which has a high impact to Mozilla should also be considered. This priority flag should communicate that other work is blocked by this issue and it should be resolved immediatly. Examples: SQL injection or Injection Flaws and Remote File Inclusion (RFI) Anything which has been publicized as a 0day which falls into the 'Critical' category. Flaws being activly used in the wild (chemspill?). Critical Vulnerabilities which are exploitable and/or hard to reproduce. We are also not seeing these being actively exploited or have another means to protect against a vulnerability. Examples: XSS CSRF and Authentication or token handling issues Major: Vulnerabilities which have a slightly less degree of impact compared to Critical. Examples: Content Spoofing Information Disclosure or Error Handling Normal Internal vulnerability with a low likelihood of being remotely exploitable.

Transition Plan


What may Break	Fixed
Securitywiki:Open sg:critical/high bugs (ordered by modification date)	No
Securitywiki:Open sg:critical bugs	No
Securitywiki:Open sg:high bugs	No
Securitywiki:Open Firefox 12 critical bugs	No
Securitywiki:Open Firefox 13 critical bugs	No
Securitywiki:Open Firefox 14 critical bugs	No
Securitywiki: sg:critical bugs not triaged for 12 & 13	No
Securitywiki:sg:critical bugs not triaged for 13 & 14	No
Securitywiki:New, untriaged security-sensitive bugs	No
Securitywiki:recently fixed (3m) high/critical not triaged for 10/	No
Securitywiki:recently fixed (6w) untriaged security bugs	No
Securitywiki:need info	No
Securitywiki:Firefox 5 triage, critical and high bugs that	No
Securitywiki:[Need blocking triage]	No
Securitywiki:[Block]	No
Securitywiki:[Don't block]	No
Securitywiki:security closed bugs with no sg: markings	No
Securitywiki:Unresolved hidden bugs with or without sg: whiteboard markers	No
Securitywiki:Security Bug crashes in need of triage	No
Securitywiki:fuzz testing bugs filed and fixed	No
Securitywiki:fuzz testing bugs still open	No
Securitywiki:Fixed on trunk but un-triaged for branch	No
Securitywiki:Fixed on trunk, truly un-triaged for branch	No
Securitywiki:(fixed on trunk but not wanted on branch - problem doesn't exist	No
Securitywiki:(maybe wanted - baking on the trunk to assess risk	No
Securitywiki:definitely wanted on the branch.	No
Securitywiki:wanted and fixed on the branch	No
Securitywiki:All disclosed bugs	No
Securitywiki:Fixed and disclosed security bugs	No
Securitywiki:"Historical Fix Rate Info	No
Security Radar: Bugs Marked for Review	No
Security Radar: Assigned Security Bugs	No
Security Radar Triage: Sec-Review-Needed Query	No
Security Radar Triage: Assigned Bugs	No
Firefox Platform Meeting: Bugs marked sec-review-needed that need to be scheduled	No

@@ Line 249: / Line 249: @@
 |}
 ==Transition Plan==
+{| style="width: 800px;" class="wikitable collapsible collapsed fullwidth-table"
+!
+|-
+! style="width:10%"| What may Break
+! style="width:5%" | Fixed
+|-
+| Securitywiki:Open sg:critical/high bugs (ordered by modification date)
+| No
+|-
+| Securitywiki:Open sg:critical bugs
+| No
+|-
+| Securitywiki:Open sg:high bugs
+| No
+|-
+| Securitywiki:Open Firefox 12 critical bugs
+| No
+|-
+| Securitywiki:Open Firefox 13 critical bugs
+| No
+|-
+| Securitywiki:Open Firefox 14 critical bugs
+| No
+|-
+| Securitywiki: sg:critical bugs not triaged for 12 & 13
+| No
+|-
+| Securitywiki:sg:critical bugs not triaged for 13 & 14
+| No
+|-
+| Securitywiki:New, untriaged security-sensitive bugs
+| No
+|-
+| Securitywiki:recently fixed (3m) high/critical not triaged for 10/
+| No
+|-
+| Securitywiki:recently fixed (6w) untriaged security bugs
+| No
+|-
+| Securitywiki:need info
+| No
+|-
+| Securitywiki:Firefox 5 triage, critical and high bugs that
+| No
+|-
+| Securitywiki:[Need blocking triage]
+| No
+|-
+| Securitywiki:[Block]
+| No
+|-
+| Securitywiki:[Don't block]
+| No
+|-
+| Securitywiki:security closed bugs with no sg: markings
+| No
+|-
+| Securitywiki:Unresolved hidden bugs with or without sg: whiteboard markers
+| No
+|-
+| Securitywiki:Security Bug crashes in need of triage
+| No
+|-
+| Securitywiki:fuzz testing bugs filed and fixed
+| No
+|-
+| Securitywiki:fuzz testing bugs still open
+| No
+|-
+| Securitywiki:Fixed on trunk but un-triaged for branch
+| No
+|-
+| Securitywiki:Fixed on trunk, truly un-triaged for branch
+| No
+|-
+| Securitywiki:(fixed on trunk but not wanted on branch - problem doesn't exist
+| No
+|-
+| Securitywiki:(maybe wanted - baking on the trunk to assess risk
+| No
+|-
+| Securitywiki:definitely wanted on the branch.
+| No
+|-
+| Securitywiki:wanted and fixed on the branch
+| No
+|-
+| Securitywiki:All disclosed bugs
+| No
+|-
+| Securitywiki:Fixed and disclosed security bugs
+| No
+|-
+| Securitywiki:"Historical Fix Rate Info
+| No
+|-
+| Security Radar: Bugs Marked for Review
+| No
+|-
+| Security Radar: Assigned Security Bugs
+| No
+|-
+| Security Radar Triage: Sec-Review-Needed Query
+| No
+|-
+| Security Radar Triage: Assigned Bugs
+| No
+|-
+| Firefox Platform Meeting: Bugs marked sec-review-needed that need to be scheduled
+| No
+|-
+|}
 ==Example Searches==
 ==Archive==
 [[/Security_Severity_Ratings/archive | archive]]

Security Severity Ratings/Merge: Difference between revisions

Revision as of 17:23, 20 March 2012

Contents

Severity Ratings

Additional Security Status Codes

Transition Plan

Example Searches

Archive

Navigation menu