Hello everyone,
some time ago we decided to rely on CVSS for severity of security issues. However, I have the impression that the resulting priority of issues doesn’t match user expectations. For example, a vulnerability that would give read-only access to all pages of a private wiki without user interaction is CVSS 7.5 which is just a critical severity according to the agreed upon mapping. For such issues, we say that we’ll handle them depending on other priorities and give no guarantee that we’ll fix them in a timely manner. That doesn’t make any sense from a user’s point of view.
I propose to change the security policy to state instead the following:
We mark security issues as blocker issues in Jira and will do our best to fix them within 90 days, unless
- the attacker needs at least script right to exploit the issue
- the impact is low (e.g., minor performance impact, data leak that doesn’t concern actual page contents)
- the issue is hard to exploit (e.g., an admin needs to perform an action that seems unlikely)
In these cases, the security issue can be marked as “Critical” or “Major” in Jira.
The idea of the first two criteria is to match the CVSS criteria “Privileges Required” and the impact for “Confidentiality”/“Integrity”/“Availability”. The third point is less straightforward, and primarily targets issues that require some sort of social engineering. In general, I’ve also tried to take inspiration from the deprecated severity matrix.
I’m not sure if we should have further guidelines for choosing Critical vs. Major, I would leave this to the reporter and/or committer who handles the issue - as far as I know we also don’t have any criteria for other bugs.
Any opinions or other ideas?