From c33da0ea5bdbd687bbe1856e92ea3dd01d6778c7 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 9 May 2020 12:58:01 +0100 Subject: [PATCH] Problem: we lack an (internal) definition of severity for security issues Solution: attempt to define a reasonable one --- SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 4274a74a..561a3956 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,6 +22,29 @@ please send a GPG encrypted email with the details to the maintainers: | Doron Somech | somdoron@gmail.com | E0B0 E3D1 55DD 6ED6 71FB 2B79 D0B9 CC44 867D 8F3D | | Luca Boccassi | luca.boccassi@gmail.com | A9EA 9081 724F FAE0 484C 35A1 A81C EA22 BC8C 7E2E | +## Internal severity classification + +We will attempt to follow this general policy when assigning a severity to +security issues. These are guidelines more than rules, and as such end +results might vary. + + +| Severity | Definition | +| -------- | ---------- | +| CRITICAL | endpoints using STRONG authentication are SILENTLY affected | +| HIGH | endpoints using STRONG authentication are VISIBLY affected | +| MODERATE | endpoints NOT using STRONG authentication are SILENTLY affected | +| LOW | endpoints NOT using STRONG authentication are VISIBLY affected | + +STRONG authentication means transports that use cryptography, for example CURVE +and TLS. + +VISIBLY affected means that platform owners are likely to immediately notice +misbehaviours, like crashes or loss of connectivity for legitimate peers. + +SILENTLY affected means that without close inspection, platform owners are +unlikely to notice misbehaviours, like remote code executions or data exfiltration. + ### Public keys
Doron Somech