@@ -91,6 +91,78 @@ of the downstream projects included in this process:
9191* Drupal (releases typically happen on Wednesdays)
9292* eZPublish
9393
94+ Issue Severity
95+ --------------
96+
97+ In order to determine the severity of a security issue we take into account
98+ the complexity of any potential attack, the impact of the vulnerability and
99+ also how many projects it is likely to affect. This score out of 15 is then
100+ converted into a level of: Low, Medium, High, Critical, or Exceptional.
101+
102+ Attack Complexity
103+ ~~~~~~~~~~~~~~~~~
104+
105+ *Score of between 1 and 5 depending on how complex it is to exploit the
106+ vulnerability *
107+
108+ * 4 - 5 Basic: attacker must follow a set of simple steps
109+ * 2 - 3 Complex: attacker must follow non-intuitive steps with a high level
110+ of dependencies
111+ * 1 - 2 High: A successful attack depends on conditions beyond the attacker's
112+ control. That is, a successful attack cannot be accomplished at will, but
113+ requires the attacker to invest in some measurable amount of effort in
114+ preparation or execution against the vulnerable component before a successful
115+ attack can be expected.
116+
117+ Impact
118+ ~~~~~~
119+
120+ *Scores from the following areas are added together to produce a score. The
121+ score for Impact is capped at 6. Each area is scored between 0 and 4. *
122+
123+ * Integrity: Does this vulnerability cause non-public data to be accessible?
124+ If so, does the attacker have control over the data disclosed? (0-4)
125+ * Disclosure: Can this exploit allow system data (or data handled by the
126+ system) to be compromised? If so, does the attacker have control over
127+ modification? (0-4)
128+ * Code Execution: Does the vulnerability allow arbitrary code to be executed
129+ on an end-users system, or the server that it runs on? (0-4)
130+ * Availability: Is the availability of a service or application affected? Is
131+ it reduced availability or total loss of availability of a service /
132+ application? Availability includes networked services (e.g., databases) or
133+ resources such as consumption of network bandwidth, processor cycles, or
134+ disk space. (0-4)
135+
136+ Affected Projects
137+ ~~~~~~~~~~~~~~~~~
138+
139+ *Scores from the following areas are added together to produce a score. The
140+ score for Affected Projects is capped at 4. *
141+
142+ * Will it affect some or all using a component? (1-2)
143+ * Is the usage of the component that would cause such a thing already
144+ considered bad practice? (0-1)
145+ * How common/popular is the component (e.g. Console vs HttpFoundation vs
146+ Lock)? (0-2)
147+ * Are a number of well-known open source projects using Symfony affected
148+ that requires coordinated releases? (0-1)
149+
150+ Score Totals
151+ ~~~~~~~~~~~~
152+
153+ * Attack Complexity: 1 - 4
154+ * Impact: 1 - 6
155+ * Affected Projects: 1 - 4
156+
157+ Severity levels
158+ ~~~~~~~~~~~~~~~
159+
160+ * Low: 1 - 5
161+ * Medium: 6 - 10
162+ * High: 11 - 12
163+ * Critical: 13 - 14
164+ * Exceptional: 15
165+
94166Security Advisories
95167-------------------
96168
0 commit comments