@@ -91,6 +91,73 @@ of the downstream projects included in this process:
9191* Drupal (releases typically happen on Wednesdays)
9292* eZPublish
9393
94+ Issue Severity
95+ --------------
96+ In order to determine the severity of a security issue we take into account
97+ the complexity of any potential attack, the impact of the vulnerability and
98+ also how many projects it is likely to affect. This score out of 15 is then
99+ converted into a level of: Low, Medium, High, Critical, or Exceptional.
100+
101+ **Attack Complexity **
102+
103+ *Score of between 1 and 5 depending on how complex it is to exploit the
104+ vulnerability *
105+
106+ * 4 - 5 Basic: attacker must follow a set of simple steps
107+ * 2 - 3 Complex: attacker must follow non-intuitive steps with a high level
108+ of dependencies
109+ * 1 - 2 High: A successful attack depends on conditions beyond the attacker's
110+ control. That is, a successful attack cannot be accomplished at will, but
111+ requires the attacker to invest in some measurable amount of effort in
112+ preparation or execution against the vulnerable component before a successful
113+ attack can be expected.
114+
115+ **Impact **
116+
117+ *Scores from the following areas are added together to produce a score. The
118+ score for Impact is capped at 6. Each area is scored between 0 and 4. *
119+
120+ * Integrity: Does this vulnerability cause non-public data to be accessible?
121+ If so, does the attacker have control over the data disclosed? (0-4)
122+ * Disclosure: Can this exploit allow system data (or data handled by the
123+ system) to be compromised? If so, does the attacker have control over
124+ modification? (0-4)
125+ * Code Execution: Does the vulnerability allow arbitrary code to be executed
126+ on an end-users system, or the server that it runs on? (0-4)
127+ * Availability: Is the availability of a service or application affected? Is
128+ it reduced availability or total loss of availability of a service /
129+ application? Availability includes networked services (e.g., databases) or
130+ resources such as consumption of network bandwidth, processor cycles, or
131+ disk space. (0-4)
132+
133+ **Affected Projects **
134+
135+ *Scores from the following areas are added together to produce a score. The
136+ score for Affected Projects is capped at 4. *
137+
138+ * Will it affect some or all using a component? (1-2)
139+ * Is the usage of the component that would cause such a thing already
140+ considered bad practice? (0-1)
141+ * How common/popular is the component (e.g. Console vs HttpFoundation vs
142+ Lock)? (0-2)
143+ * Are a number of well-known open source projects using Symfony affected
144+ that requires coordinated releases? (0-1)
145+
146+ **Score Totals **
147+
148+ * Attack Complexity: 1 - 4
149+ * Impact: 1 - 6
150+ * Affected Projects: 1 - 4
151+
152+ **Severity levels **
153+
154+ * Low: 1 - 5
155+ * Medium: 6 - 10
156+ * High: 11 - 12
157+ * Critical: 13 - 14
158+ * Exceptional: 15
159+
160+
94161Security Advisories
95162-------------------
96163
0 commit comments