Skip to content

Add severity rankings to security policy #10857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

Add severity rankings to security policy #10857

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
db4d50b
Add severity rankings to security policy
michaelcullum Jan 9, 2019
5a7604d
Attempt to fix formatting disaster
michaelcullum Jan 9, 2019
9af70e7
Fix formatting here also now these aren't headings
michaelcullum Jan 9, 2019
352a6ec
Fix bold formatting here
michaelcullum Jan 9, 2019
8a75990
Remove table
michaelcullum Jan 9, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions contributing/code/security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,73 @@ of the downstream projects included in this process:
* Drupal (releases typically happen on Wednesdays)
* eZPublish

Issue Severity
--------------
In order to determine the severity of a security issue we take into account
the complexity of any potential attack, the impact of the vulnerability and
also how many projects it is likely to affect. This score out of 15 is then
converted into a level of: Low, Medium, High, Critical, or Exceptional.

**Attack Complexity**

*Score of between 1 and 5 depending on how complex it is to exploit the
vulnerability*

* 4 - 5 Basic: attacker must follow a set of simple steps
* 2 - 3 Complex: attacker must follow non-intuitive steps with a high level
of dependencies
* 1 - 2 High: A successful attack depends on conditions beyond the attacker's
control. That is, a successful attack cannot be accomplished at will, but
requires the attacker to invest in some measurable amount of effort in
preparation or execution against the vulnerable component before a successful
attack can be expected.

**Impact**

*Scores from the following areas are added together to produce a score. The
score for Impact is capped at 6. Each area is scored between 0 and 4.*

* Integrity: Does this vulnerability cause non-public data to be accessible?
If so, does the attacker have control over the data disclosed? (0-4)
* Disclosure: Can this exploit allow system data (or data handled by the
system) to be compromised? If so, does the attacker have control over
modification? (0-4)
* Code Execution: Does the vulnerability allow arbitrary code to be executed
on an end-users system, or the server that it runs on? (0-4)
* Availability: Is the availability of a service or application affected? Is
it reduced availability or total loss of availability of a service /
application? Availability includes networked services (e.g., databases) or
resources such as consumption of network bandwidth, processor cycles, or
disk space. (0-4)

**Affected Projects**

*Scores from the following areas are added together to produce a score. The
score for Affected Projects is capped at 4.*

* Will it affect some or all using a component? (1-2)
* Is the usage of the component that would cause such a thing already
considered bad practice? (0-1)
* How common/popular is the component (e.g. Console vs HttpFoundation vs
Lock)? (0-2)
* Are a number of well-known open source projects using Symfony affected
that requires coordinated releases? (0-1)

**Score Totals**

* Attack Complexity: 1 - 4
* Impact: 1 - 6
* Affected Projects: 1 - 4

**Severity levels**

* Low: 1 - 5
* Medium: 6 - 10
* High: 11 - 12
* Critical: 13 - 14
* Exceptional: 15


Security Advisories
-------------------

Expand Down