Hello everyone,
this proposal is about changing what’s documented in XWiki Security Policy - XWiki to rely mainly on CVSS.
I found that our current documentation is ambiguous for several reasons:
- reporters of security issue do knows about CVSS while our current matrix is really internal
- our matrix is currently very ambiguous for plenty of cases (e.g. how do you assess severity of a RCE right now?)
- we do use CVSS when creating the advisories now
So my proposal is the following:
- Always compute CVSS for new security ticket and indicate the CVSS computation in a dedicated field in the jira ticket
- Provide an indicative mapping between the CVSS score and the Jira priority: e.g. Minor: 0.1-3.9, Major: 4.0-6.9, Critical: 7.0-8.9, Blocker: 9.0-10.0
- Indicate that this mapping can be modulated on case by case basis, taking into account at least the rights scheme of XWiki since CVSS only has 3 values for “Privilege required”
- Stop using attacker_* and attack_* labels
- Add a dedicated jira field for the CWE classification, that could replace the attack_* semantic labels
wdyt?