| The following items are keywords for the severity of an issue.
 sec-criticalCritical vulnerabilities are urgent security issues that present an ongoing or immediate danger to Firefox users. There is no difference technically between a sec-critical and a sec-high, the difference is purely related to risk to users.  Certain sec-critical vulnerabilities will cause an immediate dot-release to be issued.
 
| sec-critical Examples: |  
| Vulnerabilities actively exploited or publicly disclosedCertain types of vulnerabilities that are worm-able or exceptionally easy to exploit
 |  sec-highHigh-severity vulnerabilities are exploitable vulnerabilities which can lead to the widespread compromise of many users requiring no more than normal browsing actions. This includes most types of memory corruption, UXSS, cross-origin data leaks, and disclosure of other sensitive user data (including the user's IP address if a proxy is used.)
 
| sec-high Examples: |  
| Theft of arbitrary files from local systemSpoofing of full URL bar or bypass of SSL integrity checksMemory read that results in data being written into an inert container (ie string or image) that is subsequently accessible to contentJavaScript injection into browser chrome or other originsFailure to use TLS where needed to ensure confidential/securityMemory corruption leading to a limited or arbitrary memory read or write.Sandbox escapesProxy bypassDisclosure of browsing historyOverflows resulting in native code executionLaunching of arbitrary local application with provided argumentsInstallation & execution of plugins/modules with chrome/native privileges, without user consent or via user dialog fatigue
 |  sec-moderateModerate severity represents a fairly wide range of issues, that include: Vulnerabilities that would be considered a sec-high but require the user to perform unusual or complex actions or is limited in scope of affected users or capability, . Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. Disclosure of sensitive information that represents a violation of privacy but by itself does not expose sensitive user data or uniquily identify the user. Many types of application Denial of Service.
 
| sec-moderate Examples: |  
| Private Browsing Mode data leaksDisclosure of OS usernameDisclosure of browsing history through efficient and fast timing side channelsDetection of arbitrary local filesLaunching of arbitrary local application without argumentsThe most severe or persistent types of DoS attacks, such as ones that require re-installing Firefox or can write unbounded storage to disk
 |  sec-lowLow severity represents vulnerabilities that clearly have security implications, but typically are unexploitable, very limited in scope, or require excessive time or processing to exploit.
 
| sec-low Examples: |  
| Detection of a previous visit to a specific site, or when the affected site has a certain configurationIdentification of users by profiling browsing behavior.Corruption of chrome dialogs or user input without the ability to spoof arbitrary messagesMost Denial of Service vulnerabilities, such as those requiring a browser restart
 |  Mitigating Circumstances
 If there are mitigating circumstances that severely constrain the vulnerability, then the issue could be reduced by one level of severity.  Examples of mitigating circumstances include difficulty in reproducing due to very specific timing or load order requirements, a complex or unusual set of actions the user would have to take beyond normal browsing behaviors, or an unusual software configuration not provided by our Preferences page.  
 As a rough guide, to be considered for reduction in severity, the vulnerability should be exploitable less than 10% of the time.  If in the future, default software configurations change or techniques are developed to improve the reliability of the exploit it should be elevated back to the original rating.
 |