Hi everyone,
I’m posting this proposal to perform a few changes in our Security Policy regarding the Severity section. We noticed a trend in the industry by using a CVSS 7.0 score as a threshold when analyzing security issues, so I proposed to start using the same threshold as a unique criteria for making a distinction between critical and high severity, but to then have properly documented CVSS computation criteria to take into account the specifications of XWiki right and security model.
The proposal for the documented CVSS criteria is available in Security Policy: Computation criteria for CVSS
Also I propose that we start always using CVSS 4 to compute the score as it’s more detailed and fits better XWiki, and that we always document in details in our advisories the explanation of the computed score, like what we can see in CVSS v4.0 Examples . Those information will be particularly useful on the long run, as our computation critieria might also evolve.
Finally, I propose that even if a vulnerability has a CVSS score < 7, the handler could raise it to critical if there’s a strong argument for it, for example a high impact.
So I propose to rewrite the Severity section with the following:
The severity of the security tickets should be computed using a CVSS 4 calculator such as https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator.
Security issues are marked as “Critical” issues if the CVSS score is >= 7, otherwise they are marked as “Major”.
A committer reviewing a security issue could decide to raise the severity to “Critical” for a vulnerability with a CVSS score < 7:
- if there’s an high system impact
- for another reason if there’s a strong argument for it, after discussing withing available channels
FInally, as an exception, a security issue can be classified as “Blocker” after discussing it within available channels, for example, when the security issue is actively exploited.
And I propose to edit the security advisory template documented in the policy to change Impact section with:
### Impact
Describe here the impact of the vulnerability and provide information about the versions of XWiki impacted by it.
#### CVSS Score Computation Details
| Metric | Value | Comment |
| --------------------------------- | ----------------------- | -------------- |
| Attack Vector | Network | Your comment. |
| Attack Complexity | Low / High | Your comment. |
| Attack Requirements | None / Present | Your comment. |
| Privileges Required | None / Low / High | Your comment. |
| User Interaction | None / Passive / Active | Your comment. |
| Vulnerable System Confidentiality | None / Low / High | Your comment. |
| Vulnerable System Integrity | None / Low / High | Your comment. |
| Vulnerable System Availability | None / Low / High | Your comment. |
| Subsequent System Confidentiality | None / Low / High | Your comment. |
| Subsequent System Integrity | None / Low / High | Your comment. |
| Subsequent System Availability | None / Low / High | Your comment. |
wdyt?