From db4d50bede987fe0896dfff2d4a9237573a0e6c6 Mon Sep 17 00:00:00 2001 From: Michael Cullum Date: Wed, 9 Jan 2019 17:20:39 +0000 Subject: [PATCH 1/5] Add severity rankings to security policy --- contributing/code/security.rst | 65 ++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index e1c95f4f171..ee83692fc61 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -91,6 +91,71 @@ of the downstream projects included in this process: * Drupal (releases typically happen on Wednesdays) * eZPublish +Issue Severity +-------------- +In order to determine the severity of a security issue we take into account +the complexity of any potential attack, the impact of the vulnerability and +also how many projects it is likely to affect. This score out of 15 is then +converted into a level of: Low, Medium, High, Critical, or Exceptional. + +#### **Attack Complexity** +*Score of between 1 and 5 depending on how complex it is to exploit the +vulnerability* + +* 4 - 5 Basic: attacker must follow a set of simple steps +* 2 - 3 Complex: attacker must follow non-intuitive steps with a high level +of dependencies +* 1 - 2 High: A successful attack depends on conditions beyond the attacker's +control. That is, a successful attack cannot be accomplished at will, but +requires the attacker to invest in some measurable amount of effort in +preparation or execution against the vulnerable component before a successful +attack can be expected. + +#### Impact +*Scores from the following areas are added together to produce a score. The +score for Impact is capped at 6. Each area is scored between 0 and 4.* + +* Integrity: Does this vulnerability cause non-public data to be accessible? +If so, does the attacker have control over the data disclosed? (0-4) +* Disclosure: Can this exploit allow system data (or data handled by the +system) to be compromised? If so, does the attacker have control over +modification? (0-4) +* Code Execution: Does the vulnerability allow arbitrary code to be executed +on an end-users system, or the server that it runs on? (0-4) +* Availability: Is the availability of a service or application affected? Is +it reduced availability or total loss of availability of a service / +application? Availability includes networked services (e.g., databases) or +resources such as consumption of network bandwidth, processor cycles, or +disk space. (0-4) + +#### Affected Projects (1-4) +*Scores from the following areas are added together to produce a score. The +score for Affected Projects is capped at 4.* +* Will it affect some or all using a component? (1-2) +* Is the usage of the component that would cause such a thing already +considered bad practice? (0-1) +* How common/popular is the component (e.g. Console vs HttpFoundation vs +Lock)? (0-2) +* Are a number of well-known open source projects using Symfony affected +that requires coordinated releases? (0-1) + +#### Score Totals + +Attack Complexity: 1 - 4 +Impact: 1 - 6 +Affected Projects: 1 - 4 + +Total Score: 1 - 15 + +| Severity | Total score | +|------------- |----------------- | +| Low | 1 - 5 | +| Medium | 6 - 10 | +| High | 11 - 12 | +| Critical | 13 - 14 | +| Exceptional      | 15 | + + Security Advisories ------------------- From 5a7604d9ea412ca9038fbf9b8705224df0260907 Mon Sep 17 00:00:00 2001 From: Michael Cullum Date: Wed, 9 Jan 2019 17:38:48 +0000 Subject: [PATCH 2/5] Attempt to fix formatting disaster --- contributing/code/security.rst | 59 +++++++++++++++++----------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index ee83692fc61..ed379b436fa 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -98,48 +98,49 @@ the complexity of any potential attack, the impact of the vulnerability and also how many projects it is likely to affect. This score out of 15 is then converted into a level of: Low, Medium, High, Critical, or Exceptional. -#### **Attack Complexity** +**Attack Complexity** *Score of between 1 and 5 depending on how complex it is to exploit the vulnerability* * 4 - 5 Basic: attacker must follow a set of simple steps -* 2 - 3 Complex: attacker must follow non-intuitive steps with a high level -of dependencies -* 1 - 2 High: A successful attack depends on conditions beyond the attacker's -control. That is, a successful attack cannot be accomplished at will, but -requires the attacker to invest in some measurable amount of effort in -preparation or execution against the vulnerable component before a successful -attack can be expected. - -#### Impact +* 2 - 3 Complex: attacker must follow non-intuitive steps with a high level + of dependencies +* 1 - 2 High: A successful attack depends on conditions beyond the attacker's + control. That is, a successful attack cannot be accomplished at will, but + requires the attacker to invest in some measurable amount of effort in + preparation or execution against the vulnerable component before a successful + attack can be expected. + +**Impact** *Scores from the following areas are added together to produce a score. The score for Impact is capped at 6. Each area is scored between 0 and 4.* -* Integrity: Does this vulnerability cause non-public data to be accessible? -If so, does the attacker have control over the data disclosed? (0-4) -* Disclosure: Can this exploit allow system data (or data handled by the -system) to be compromised? If so, does the attacker have control over -modification? (0-4) +* Integrity: Does this vulnerability cause non-public data to be accessible? + If so, does the attacker have control over the data disclosed? (0-4) +* Disclosure: Can this exploit allow system data (or data handled by the + system) to be compromised? If so, does the attacker have control over + modification? (0-4) * Code Execution: Does the vulnerability allow arbitrary code to be executed -on an end-users system, or the server that it runs on? (0-4) -* Availability: Is the availability of a service or application affected? Is -it reduced availability or total loss of availability of a service / -application? Availability includes networked services (e.g., databases) or -resources such as consumption of network bandwidth, processor cycles, or -disk space. (0-4) - -#### Affected Projects (1-4) + on an end-users system, or the server that it runs on? (0-4) +* Availability: Is the availability of a service or application affected? Is + it reduced availability or total loss of availability of a service / + application? Availability includes networked services (e.g., databases) or + resources such as consumption of network bandwidth, processor cycles, or + disk space. (0-4) + +**Affected Projects** *Scores from the following areas are added together to produce a score. The score for Affected Projects is capped at 4.* + * Will it affect some or all using a component? (1-2) -* Is the usage of the component that would cause such a thing already -considered bad practice? (0-1) -* How common/popular is the component (e.g. Console vs HttpFoundation vs -Lock)? (0-2) +* Is the usage of the component that would cause such a thing already + considered bad practice? (0-1) +* How common/popular is the component (e.g. Console vs HttpFoundation vs + Lock)? (0-2) * Are a number of well-known open source projects using Symfony affected -that requires coordinated releases? (0-1) + that requires coordinated releases? (0-1) -#### Score Totals +**Score Totals** Attack Complexity: 1 - 4 Impact: 1 - 6 From 9af70e766b269dfa9a2fde9896a911587ccb6dec Mon Sep 17 00:00:00 2001 From: Michael Cullum Date: Wed, 9 Jan 2019 17:40:33 +0000 Subject: [PATCH 3/5] Fix formatting here also now these aren't headings --- contributing/code/security.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index ed379b436fa..2f8913f081a 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -99,12 +99,13 @@ also how many projects it is likely to affect. This score out of 15 is then converted into a level of: Low, Medium, High, Critical, or Exceptional. **Attack Complexity** + *Score of between 1 and 5 depending on how complex it is to exploit the vulnerability* * 4 - 5 Basic: attacker must follow a set of simple steps * 2 - 3 Complex: attacker must follow non-intuitive steps with a high level - of dependencies + of dependencies * 1 - 2 High: A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in @@ -112,6 +113,7 @@ vulnerability* attack can be expected. **Impact** + *Scores from the following areas are added together to produce a score. The score for Impact is capped at 6. Each area is scored between 0 and 4.* @@ -129,6 +131,7 @@ score for Impact is capped at 6. Each area is scored between 0 and 4.* disk space. (0-4) **Affected Projects** + *Scores from the following areas are added together to produce a score. The score for Affected Projects is capped at 4.* From 352a6ecbe9a146304da747a517fec1ec9a9c5ba5 Mon Sep 17 00:00:00 2001 From: Michael Cullum Date: Wed, 9 Jan 2019 17:42:12 +0000 Subject: [PATCH 4/5] Fix bold formatting here --- contributing/code/security.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 2f8913f081a..6ae8880dfc1 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -107,10 +107,10 @@ vulnerability* * 2 - 3 Complex: attacker must follow non-intuitive steps with a high level of dependencies * 1 - 2 High: A successful attack depends on conditions beyond the attacker's - control. That is, a successful attack cannot be accomplished at will, but - requires the attacker to invest in some measurable amount of effort in - preparation or execution against the vulnerable component before a successful - attack can be expected. + control. That is, a successful attack cannot be accomplished at will, but + requires the attacker to invest in some measurable amount of effort in + preparation or execution against the vulnerable component before a successful + attack can be expected. **Impact** @@ -151,13 +151,13 @@ Affected Projects: 1 - 4 Total Score: 1 - 15 -| Severity | Total score | -|------------- |----------------- | +| Severity | Total score | +|-------------|-----------------| | Low | 1 - 5 | | Medium | 6 - 10 | | High | 11 - 12 | | Critical | 13 - 14 | -| Exceptional      | 15 | +| Exceptional      | 15 | Security Advisories From 8a7599045306e4f5d5f62426aa97a2c9ecf62fbb Mon Sep 17 00:00:00 2001 From: Michael Cullum Date: Wed, 9 Jan 2019 17:47:28 +0000 Subject: [PATCH 5/5] Remove table --- contributing/code/security.rst | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 6ae8880dfc1..aa2835ff274 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -145,19 +145,17 @@ score for Affected Projects is capped at 4.* **Score Totals** -Attack Complexity: 1 - 4 -Impact: 1 - 6 -Affected Projects: 1 - 4 - -Total Score: 1 - 15 - -| Severity | Total score | -|-------------|-----------------| -| Low | 1 - 5 | -| Medium | 6 - 10 | -| High | 11 - 12 | -| Critical | 13 - 14 | -| Exceptional      | 15 | +* Attack Complexity: 1 - 4 +* Impact: 1 - 6 +* Affected Projects: 1 - 4 + +**Severity levels** + +* Low: 1 - 5 +* Medium: 6 - 10 +* High: 11 - 12 +* Critical: 13 - 14 +* Exceptional: 15 Security Advisories