Severity Ratings
In all cases, the severity of server and web application bugs is dependent on the critically of the service and the value of the data that could be compromised. Thus while the table below provides very broad guidelines, they cannot be directly used to determine the severity of a bug absent the consideration of the affected service.
| Severity Ratings & Examples
|
|
The following items are keywords for the severity of an issue.
- sec-critical
- Critical vulnerabilities are urgent security issues that present an ongoing or immediate danger to users of our services. Often-times there is no difference technically between a sec-critical and a sec-high, the difference is purely related to to the classification of the site and the risk to users.
| sec-critical Examples:
|
- Remote Code Execution on a Critical or Core site.
- Authentication Flaws (which lead to account compromise)
- Session Management Flaws (which lead to account compromise)
- Stored Cross-site Scripting (XSS)
- Reflected XSS on a Critical Site
|
- sec-high
- Typically, sec-high issues are exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.
| sec-high Examples:
|
- Reflected XSS on a non Critical or Core site
- CSRF
- Failure to use TLS where needed to ensure confidential/security
|
- sec-moderate
- Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). The lack of standard defense in depth techniques and security controls.
| sec-moderate Examples:
|
- XSS blocked by CSP
- Detection of arbitrary local files
- Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc)
- Error Handling Issues
|
- sec-low
- Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best practice security controls
| sec-low Examples:
|
- Lack of proper input validation (not resulting in XSS or injection)
- Content spoofing (non-html)
|
|
Additional Whiteboard Tracking Tags & Flags
wsectype- Keywords
wsectype- keywords are assigned to bugs to indicate the type of a website vulnerability. These should be assigned to every vulnerability. If you feel you can identify the type of a security bug we encourage you to classify it yourself.
| Code
|
Description
|
| wsec-applogic |
Issues relating to the application logic
|
| wsec-appmisconfig |
Application misconfiguration
|
| wsec-authentication |
Website or server authentication security issues (lockouts, password policy, etc)
|
| wsec-authorization |
Web/server authorization security issues
|
| wsec-automation-attack |
Application is vulnerable to automation attacks
|
| wsec-bruteforce |
Application is vulnerable to bruteforce attacks
|
| wsec-client |
Web client side related vulnerability
|
| wsec-cookie |
Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path)
|
| wsec-crossdomain |
Issue such as x-frame-options, crossdomain.xml, cross site sharing settings
|
| wsec-crypto |
Crypto related items such as password hashing
|
| wsec-csrf |
Cross-Site Request Forgery (CSRF) bugs in server products
|
| wsec-deplib |
Known vulnerability in a dependant library
|
| wsec-dir-index |
Directory index incorrectly accessible
|
| wsec-disclosure |
Disclosure of sensitive data, personal information, etc from a web service
|
| wsec-dos |
Used to denote web server Denial of Service bugs. For similar bugs in client software please use csectype-dos instead.
|
| wsec-email |
Email related vulnerability
|
| wsec-errorhandling |
Any error handling issue
|
| wsec-fileinclusion |
Local or remote file inclusion possible
|
| wsec-headers |
Missing or misconfigured security headers
|
| wsec-http |
Application is incorrectly accessible over http
|
| wsec-http-header-inject |
Application vulnerable to header injection attacks
|
| wsec-impersonation |
Impersonation / Spoofing attacks (UI Redress, etc)
|
| wsec-injection |
Injection attacks other than SQLi or XSS
|
| wsec-input |
Failure to perform input validation. Most often you will probably use the xss tag instead
|
| wsec-logging |
Logging issues such as requests for CEF log points.
|
| wsec-nullbyte |
Application is vulnerable to null byte injection
|
| wsec-objref |
Insecure direct object references used
|
| wsec-oscmd |
Application is vulnerable to Operating System command injection
|
| wsec-other |
Web/server security issues that don't fit into other categories
|
| wsec-overflow |
Application is vulnerable to overflow attacks
|
| wsec-redirect |
Open redirect vulnerability
|
| wsec-selfxss |
Self cross site scripting
|
| wsec-serialization |
Insecure deserialization
|
| wsec-servermisconfig |
Server misconfiguration
|
| wsec-session |
Issues related to sesson management (Session fixation, etc)
|
| wsec-sqli |
SQL Injection
|
| wsec-ssrf |
Server Side Request Forgery (SSRF) bugs in server products. CWE-918
|
| wsec-takeover |
Domain vulnerable to takeover
|
| wsec-tls |
TLS related issues
|
| wsec-traversal |
Directory traversal possible
|
| wsec-weakpasswd |
Weak passwords can be used
|
| wsec-xml |
XML related vulnerability including XML External Entity (XXE) processing
|
| wsec-xss |
Cross-Site Scripting (XSS) bugs in server products
|
secopstype- Keywords
secopstype- keywords are assigned to bugs to indicate the type of a client or website vulnerability. If you feel you can identify the type of a security bug we encourage you to classify it yourself.
| Code
|
Description
|
| secops-cred-leak |
Issues relating to credentials leak of Mozilla related accounts
|
Flags
| Flags
|
| Flag
|
Description
|
Settings
|
| sec-bounty
|
Shows the status of a bug with regards to a bounty payout per our bounty guidlines
|
| Setting
|
Description
|
| '?' |
Bug is nominated for review by the bounty committee
|
| '+' |
Bug has been accepted and a payment will be made
|
| '-' |
Bug does not meet criteria and a payment will not be made
|
|
| sec-bounty-hof
|
Shows the status of a bug with regards to a bounty hall of fame entry
|
| Setting
|
Description
|
| '?' |
Bug is nominated for review by the bounty committee
|
| '+' |
Bug has been accepted and an entry in the hall of fame will occur
|
| '-' |
Bug does not meet criteria and a hall of fame entry will not be made
|
|
