Canmove, confirm, emeritus
2,776
edits
Changes
Created page with "===Changed Oct-31-2011 === Security bugs are rated by specifying [sg:<rating>] in the "Whiteboard" field in bugzilla. For example, a bug with a Critical severity rating would be..."
===Changed Oct-31-2011 ===
Security bugs are rated by specifying [sg:<rating>] in the "Whiteboard" field in bugzilla. For example, a bug with a Critical severity rating would be marked as [sg:critical]. You might also notice a [ws:<rating>] in the "Whiteboard" field which is used for our Web Applications. The severity rating system can be found on the [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings Web Application Security Severity Rating] page.
==Severity Ratings Table==
<table border="1">
<tr>
<th scope="col">Severity</th>
<th scope="col">Decription</th>
<th scope="col">Examples</th>
</tr>
<tr>
<th scope="row">Critical</th>
<td align="left" valign="top"><p>Run attacker code with local user privilege or install malicious software, requiring no user interaction beyond normal browsing. The big bada boom.</p></td>
<td align="left" valign="top"> <p>Overflows resulting in native code excution</p>
<p>JavaScript injection into browser chrome</p>
<p>Launching of arbitrary local application with provided arguments</p>
<p>Filetype spoofing where executables can masquerade as benign content types</p>
<p>Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue</p>
<p>Any crash where random memory or NULL is executed (the top of the stack is not a function)</p>
<p>Any crash where random memory is accessed</p></td>
</tr>
<tr>
<th scope="row">High</th>
<td align="left" valign="top"><p>Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions.</p>
<p>Indefinite DoS of the user's system, requiring OS reinstallation or extensive cleanup</p></td>
<td align="left" valign="top"><p>Cross-site Scripting (XSS)</p>
<p>Theft of arbitrary files from local system</p>
<p>Spoofing of full URL bar or bypass of SSL integrity checks</p></td>
</tr>
<tr>
<th scope="row">Moderate</th>
<td align="left" valign="top"><p>Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk.</p>
<p>A vulnerability that combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone).</p>
<p>Indefinite application DoS via corruption of state, requiring application re-installation</p>
<p>Temporary DoS of the user's system, requiring reboot</p>
<td align="left" valign="top">
<p>Disclosure of OS username</p>
<p>Disclosure of browser cache salt</p>
<p>Disclosure of entire browsing history</p>
<p>Detection of arbitrary local files</p>
<p>Launching of arbitrary local application without arguments</p>
<p>Local storage of passwords in unencrypted form </p>
<p>Persistent DoS attacks that prevent the user from starting Firefox or another application in the future</p></td>
</tr>
<tr>
<th scope="row">Low</th>
<td align="left" valign="top"><p>Minor security vulnerabilities such as leaks or spoofs of non-sensitive information.</p>
</td>
<td align="left" valign="top"><p>Detection of previous visit to a specific site</p>
<p>Identification of users by profiling browsing behavior.</p>
<p>Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages</p></td>
</tr>
<tr>
<th scope="row">DoS</th>
<td align="left" valign="top"><p>Temporary Denial of Service attacks that users can avoid by not visiting the site again.</p><p>It is not necessary to mark each bug with [sg:dos]; adding the hang or crash keyword is sufficient.</p>
</td>
<td align="left" valign="top">
<p>Script that hangs the application for more than 5-10 seconds (without triggering the "slow script" dialog)</p>
<p>Application crash.</p>
<p>Infinite loop of dialogs that a user cannot escape.</p></td>
</tr>
</table>
==Mitigating Circumstances==
If there are mitigating circumstances that severely reduce the effectiveness of the exploit, then the exploit could be reduced by one level of severity. Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or unusual software configuration.
As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated.
==Additional Security Status Codes==
If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the whiteboard may instead contain one of the following security status codes.
<table border="1">
<tr>
<th width="130" scope="col">Severity</th>
<th scope="col">Decription</th>
<th scope="col">Examples</th>
</tr>
<tr>
<th scope="row">sg:needinfo</th>
<td align="left" valign="top"><p>Information contained within the bug is incomplete, and additional information from the original submitter is required to confirm the bug.</p></td>
<td align="left" valign="top"> <p>Ambiguous or incomplete bug description</p>
<p>Inconsistency in reproducing the issue</p>
</td>
</tr>
<tr>
<th scope="row">sg:want</th>
<td align="left" valign="top"><p>New features or improvement ideas related to security</p></td>
<td align="left" valign="top"> <p>User interface refinements</p>
<p>Support for new types of authentication</p>
<p>Code refactoring / cleanup</p></td>
</tr>
<tr>
<th scope="row"><strike>sg:investigate</strike></th>
<td align="left" valign="top"><p>DEPRECATED. Use sg:audit for legitimate code audit bugs, otherwise use the most appropriate status code given the bug state.</p>
<td align="left" valign="top">
<p>Further research is required to determine exploitability</p>
<p>Bugs that involve reviewing the codebase to discover potentially dangerous implementation patterns</p>
</td>
</tr>
<tr>
<th scope="row">sg:audit</th>
<td align="left" valign="top"><p>Bug requires a code audit to investigate potential security problems.</p></td>
<td align="left" valign="top"><p>Look for pattern x in library y</p>
<p>Audit file z for string buffer abuse.</p></td>
</tr>
<tr>
<th scope="row">sg:nse</th>
<td align="left" valign="top"><p>Bugs that may not be exploitable security issues but are kept confidential to protect sensitive information.</p>
<td align="left" valign="top">
<p>Bugs that contain sensitive information about the bug submitter or another user</p>
<p>Bugs that are related to security issues currently unfixed in Mozilla products or other products</p>
</td>
</tr>
<tr>
<th scope="row">sg:dupe <bugid></th>
<td align="left" valign="top"><p>Designates a duplicate of another security bug.</p>
<td align="left" valign="top">
<p>Copy of an existing bug targeting a different release</p>
<p>Same underlying bug filed independently</p>
</td>
</tr>
<tr>
<th scope="row">sg:vector-X</th>
<td align="left" valign="top"><p>Flaws in software not controlled by (shipped with) Firefox, but that can cause security problems for people browsing with Firefox.</p>
<td align="left" valign="top">
<p>Bugs in plugins</p>
<p>Bugs in system libraries used by Firefox</p>
</td>
</tr>
</table>
[[/Security_Severity_Ratings/archive | archive]]
Security bugs are rated by specifying [sg:<rating>] in the "Whiteboard" field in bugzilla. For example, a bug with a Critical severity rating would be marked as [sg:critical]. You might also notice a [ws:<rating>] in the "Whiteboard" field which is used for our Web Applications. The severity rating system can be found on the [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings Web Application Security Severity Rating] page.
==Severity Ratings Table==
<table border="1">
<tr>
<th scope="col">Severity</th>
<th scope="col">Decription</th>
<th scope="col">Examples</th>
</tr>
<tr>
<th scope="row">Critical</th>
<td align="left" valign="top"><p>Run attacker code with local user privilege or install malicious software, requiring no user interaction beyond normal browsing. The big bada boom.</p></td>
<td align="left" valign="top"> <p>Overflows resulting in native code excution</p>
<p>JavaScript injection into browser chrome</p>
<p>Launching of arbitrary local application with provided arguments</p>
<p>Filetype spoofing where executables can masquerade as benign content types</p>
<p>Installation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue</p>
<p>Any crash where random memory or NULL is executed (the top of the stack is not a function)</p>
<p>Any crash where random memory is accessed</p></td>
</tr>
<tr>
<th scope="row">High</th>
<td align="left" valign="top"><p>Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions.</p>
<p>Indefinite DoS of the user's system, requiring OS reinstallation or extensive cleanup</p></td>
<td align="left" valign="top"><p>Cross-site Scripting (XSS)</p>
<p>Theft of arbitrary files from local system</p>
<p>Spoofing of full URL bar or bypass of SSL integrity checks</p></td>
</tr>
<tr>
<th scope="row">Moderate</th>
<td align="left" valign="top"><p>Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk.</p>
<p>A vulnerability that combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone).</p>
<p>Indefinite application DoS via corruption of state, requiring application re-installation</p>
<p>Temporary DoS of the user's system, requiring reboot</p>
<td align="left" valign="top">
<p>Disclosure of OS username</p>
<p>Disclosure of browser cache salt</p>
<p>Disclosure of entire browsing history</p>
<p>Detection of arbitrary local files</p>
<p>Launching of arbitrary local application without arguments</p>
<p>Local storage of passwords in unencrypted form </p>
<p>Persistent DoS attacks that prevent the user from starting Firefox or another application in the future</p></td>
</tr>
<tr>
<th scope="row">Low</th>
<td align="left" valign="top"><p>Minor security vulnerabilities such as leaks or spoofs of non-sensitive information.</p>
</td>
<td align="left" valign="top"><p>Detection of previous visit to a specific site</p>
<p>Identification of users by profiling browsing behavior.</p>
<p>Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages</p></td>
</tr>
<tr>
<th scope="row">DoS</th>
<td align="left" valign="top"><p>Temporary Denial of Service attacks that users can avoid by not visiting the site again.</p><p>It is not necessary to mark each bug with [sg:dos]; adding the hang or crash keyword is sufficient.</p>
</td>
<td align="left" valign="top">
<p>Script that hangs the application for more than 5-10 seconds (without triggering the "slow script" dialog)</p>
<p>Application crash.</p>
<p>Infinite loop of dialogs that a user cannot escape.</p></td>
</tr>
</table>
==Mitigating Circumstances==
If there are mitigating circumstances that severely reduce the effectiveness of the exploit, then the exploit could be reduced by one level of severity. Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or unusual software configuration.
As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated.
==Additional Security Status Codes==
If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the whiteboard may instead contain one of the following security status codes.
<table border="1">
<tr>
<th width="130" scope="col">Severity</th>
<th scope="col">Decription</th>
<th scope="col">Examples</th>
</tr>
<tr>
<th scope="row">sg:needinfo</th>
<td align="left" valign="top"><p>Information contained within the bug is incomplete, and additional information from the original submitter is required to confirm the bug.</p></td>
<td align="left" valign="top"> <p>Ambiguous or incomplete bug description</p>
<p>Inconsistency in reproducing the issue</p>
</td>
</tr>
<tr>
<th scope="row">sg:want</th>
<td align="left" valign="top"><p>New features or improvement ideas related to security</p></td>
<td align="left" valign="top"> <p>User interface refinements</p>
<p>Support for new types of authentication</p>
<p>Code refactoring / cleanup</p></td>
</tr>
<tr>
<th scope="row"><strike>sg:investigate</strike></th>
<td align="left" valign="top"><p>DEPRECATED. Use sg:audit for legitimate code audit bugs, otherwise use the most appropriate status code given the bug state.</p>
<td align="left" valign="top">
<p>Further research is required to determine exploitability</p>
<p>Bugs that involve reviewing the codebase to discover potentially dangerous implementation patterns</p>
</td>
</tr>
<tr>
<th scope="row">sg:audit</th>
<td align="left" valign="top"><p>Bug requires a code audit to investigate potential security problems.</p></td>
<td align="left" valign="top"><p>Look for pattern x in library y</p>
<p>Audit file z for string buffer abuse.</p></td>
</tr>
<tr>
<th scope="row">sg:nse</th>
<td align="left" valign="top"><p>Bugs that may not be exploitable security issues but are kept confidential to protect sensitive information.</p>
<td align="left" valign="top">
<p>Bugs that contain sensitive information about the bug submitter or another user</p>
<p>Bugs that are related to security issues currently unfixed in Mozilla products or other products</p>
</td>
</tr>
<tr>
<th scope="row">sg:dupe <bugid></th>
<td align="left" valign="top"><p>Designates a duplicate of another security bug.</p>
<td align="left" valign="top">
<p>Copy of an existing bug targeting a different release</p>
<p>Same underlying bug filed independently</p>
</td>
</tr>
<tr>
<th scope="row">sg:vector-X</th>
<td align="left" valign="top"><p>Flaws in software not controlled by (shipped with) Firefox, but that can cause security problems for people browsing with Firefox.</p>
<td align="left" valign="top">
<p>Bugs in plugins</p>
<p>Bugs in system libraries used by Firefox</p>
</td>
</tr>
</table>
[[/Security_Severity_Ratings/archive | archive]]
