Canmove, confirm, emeritus
2,776
edits
Changes
no edit summary
{{TOC right}}
Security bugs are rated by specifying [sg:"sec-<rating>] " in the "WhiteboardKeyword" field in bugzilla. For example, a bug with a Critical severity security rating would be marked as [sg:"sec-critical]. You might also notice a [ws:<rating>] in the "Whiteboard" field which is used for our Web Applications. The severity rating system can be found on the [https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings Web Application Security Severity Rating] page.
==Severity Ratings ==
{| class="wikitable collapsible collapsed" style="width: 100%"! Severity Ratings & Examples|-|The following items are keywords for the severity of an issue. ;'''sg:sec-critical''': Run attacker code with local user privilege or install malicious software, requiring no user interaction beyond normal browsingExploitable vulnerabilities which can lead to the widespread compromise of many users.
''Examples:''
* Any bug where random memory is written to is critical
* Any bug where random memory is read from and then used in a subsequent memory or jump operation (offset, array, etc) is critical
** XSS (Stored)
** CSRF
** Code Injection
** Authentication Flaws (which lead to account compromise)
** Session Management Flaws (which lead to account compromise)
;'''sg:sec-high''': Obtain confidential data from other sites the user is visiting or the local machine, or inject data or code into those sites, requiring no more than normal browsing actions. Indefinite DoS of the user's system, requiring OS reinstallation or extensive cleanup. Exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.
''Examples:''
* Spoofing of full URL bar or bypass of SSL integrity checks
* Memory read that results in data being written into an inert container (ie string or image) that is subsequently accessible to content
* XSS (Reflected)
*Failure to use TLS where needed to ensure confidential/security
;'''sg:sec-moderate''': Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). Indefinite application Denial of Service (DoS) via corruption of state, requiring application re-installation or temporary DoS of the user's system, requiring reboot. The lack of standard defense in depth techniques and security controls.
''Examples:''
* Local storage of passwords in unencrypted form
* Persistent DoS attacks that prevent the user from starting Firefox or another application in the future
* Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc)
* Error Handling Issues
;'''sg:sec-low''': Minor security vulnerabilities such as leaks or spoofs of non-sensitive information.Missing best practice security controls
''Examples:''
* Identification of users by profiling browsing behavior.
* Corruption of chrome dialogs or user input without the ability to spoof arbitrary messages
* Lack of proper input validation (not resulting in XSS or injection)
* Content spoofing (non-html)
;'''sg:dossec-other''' (Denial of Service): Temporary Denial of Service attacks Bugs that users can avoid by may not visiting be exploitable security issues but are kept confidential to protect sensitive information. Bugs that contain sensitive information about the site again.<u>Note:</u> It is not necessary bug submitter or another user Bugs that are related to mark each bug with [sg:dos]; adding the hang security issues currently unfixed in Mozilla products or crash keyword is sufficient.other products
''Examples:''
* Script Flaws we need to track that hangs the application for more than 5-10 seconds (without triggering the "slow script" dialog)* Application crash.* Infinite loop of dialogs that a user cannot escape.are not in our code base
;'''Mitigating Circumstances''':
As a rough guide, to be considered for reduction in severity an exploit should execute successfully less than 10% of the time. If measures can be taken to improve the reliability of the exploit to over 10% (by combining it with other existing bugs or techniques), then it should not be considered to be mitigated.
|}
==Additional Security Status Codes==
If a potential security issue has not yet been assigned a severity rating, or a rating is not appropriate, the whiteboard may instead contain one of the following security status codes.
{| style="width: 800px;" class="wikitable collapsible collapsed fullwidth-table"! Shared Keywords
|-
! style="width:5%" | Code
! style="width:5%" | Examples
|-
| <b>sg:needinfosec-audit</b>|Information contained within the bug is incomplete, and additional information from the original submitter is required Bug requires a code audit to confirm the buginvestigate potential security problems.|Ambiguous or incomplete bug descriptionLook for pattern x in library yAudit file z for string buffer abuse. Inconsistency in reproducing the issue
|-
|<b>sg:sec-vector</b>|Flaws not in Mozilla controlled software, but can cause security problems for Mozilla users.|Bugs in pluginsBugs in system libraries used by Firefox|-|<b>sec-want</b>
|New features or improvement ideas related to security
|User interface refinements
Code refactoring / cleanup
|-
|<b>sg:auditsec-incident</b>|Bug requires a Issues resulting in an incident response or 'chemspill' actions by the security team.| Sever compromiseCode issues that would cause client code audit to investigate potential security problemsbe respun.|Look -|<b>sec-review-needed</b>|A security review is needed for pattern x the bug, this could mean a variety of things. If there is no secr:<username> in library ythe whiteboard the item has not been triaged and action is unknown. Once triaged a note will be placed in the bug as to the action to be taken||-|<b>sec-review-complete</b>Audit file z for string buffer abuse|The security review / actions desired have been completed. This will result in either a link to the notes from security actions or a note from the assigned resource in the bug.||-|}{| style="width: 800px;" class="wikitable collapsible collapsed fullwidth-table"! Group Keywords|-! style="width:5%" | Code ! style="width:10%"| Description! style="width:5%" | Examples
|-
| <b>sg:nsecsec- </b>|Bugs that may not be exploitable security issues but are kept confidential to protect sensitive informationClient Security (ie.Firefox, Thunderbird, etc)|Bugs that contain sensitive information about the bug submitter or another userBugs that are related to security issues currently unfixed in Mozilla products or other products{|class="wikitable collapsible collapsed fullwidth-table"! csec-
|-
|-
|<b>sg:vectorcsec-X</b>|Flaws in software not controlled by (shipped with) Firefox, but that can cause security problems for people browsing with Firefox.buffer-overrun|Bugs in pluginsBugs in system libraries used by FirefoxThe identified flaw is a buffer overrun
|-
|colspan="3" style="text-align:center"|<b>Bugzilla Codes</b>}
|-
|<b>secwsec-review-needed</b>|A security review is needed for the bugWeb Security (Web Sites, Web Services, this could mean a variety of things. If there is no secr:<username> in the whiteboard the item has not been triaged and action is unknown. Once triaged a note will be placed in the bug as to the action to be takenetc)
|
{|class="wikitable collapsible collapsed fullwidth-table"
! wsec-
|-
! style="width:5%" | Code
! style="width:10%"| Description
|-
| wsec-xss
| The identified flaw is cross site scripting flaw
|-
|}|-|<b>secopsec-review-complete</b>|The security review / actions desired have been completed. This will result in either a link to the notes from security actions or a note from the assigned resource in the bug.Operations Security (Mozilla owned & operated severs and services)
|
{|class="wikitable collapsible collapsed fullwidth-table"
! opsec-
|-
|-
|colspan="3" style="textopsec-align:center"access|<b>Feature Page Codes</b>The identified issue is an access violation.
|-
|}
|}
{| style="width: 800px;" class="wikitable collapsible collapsed fullwidth-table"
! Whiteboard Tags
|-
! style="width:5%" | Code
! style="width:10%"| Description
! style="width:5%" | Examples
|-
|<b>sec-assigned:UserAlias</b>
|This designates the assigned security resource that is accountable for actions to be taken on the designated item. When possible the bug will be assigned to the security contact for action. This will be used when that is not possible or practical.
|[sg-assigned:curtisk] indicates that curtisk is the accountable party for action
|-
|-
|}
{| style="width: 800px;" class="wikitable collapsible collapsed fullwidth-table"
! Feature Page Codes
|-
! style="width:5%" | Code
! style="width:10%"| Description
! style="width:5%" | Examples
|-
|<b>sec-review-needed</b>
| {{StatusAssigned|status=Color: Teal}}
|-
|}
{| class="wikitable collapsible collapsed" style="width: 100%"
! Priority Matrix (primarily OpSec)
|-
|
;'''Blocker''': Anything which is easily exploitable or reproducible and/or we are seeing active attempts to exploit. Anything which has a high impact to Mozilla should also be considered. This priority flag should communicate that other work is blocked
by this issue and it should be resolved immediatly.
''Examples:''
* SQL injection or Injection Flaws and Remote File Inclusion (RFI)
* Anything which has been publicized as a 0day which falls into the 'Critical' category.
* Flaws being activly used in the wild (chemspill?).
;'''Critical''': Vulnerabilities which are exploitable and/or hard to reproduce. We are also not seeing these being actively exploited or have another means to protect against a vulnerability.
''Examples:''
* XSS
* CSRF and Authentication or token handling issues
:'''Major''': Vulnerabilities which have a slightly less degree of impact compared to Critical.
''Examples:''
* Content Spoofing
* Information Disclosure or Error Handling
;'''Normal''': Internal vulnerability with a low likelihood of being remotely exploitable.
|}
[[/Security_Severity_Ratings/archive | archive]]
