[openssl-commits] [web] master update

Mon Sep 28 12:09:33 UTC 2015

The branch master has been updated
       via  b2b47654bac1dd2793ad8eecd02b3ff832f084c4 (commit)
      from  a75e0423f02a7c5c89874befd98512f867a56c28 (commit)


- Log -----------------------------------------------------------------
commit b2b47654bac1dd2793ad8eecd02b3ff832f084c4
Author: Mark J. Cox <mark at awe.com>
Date:   Mon Sep 28 13:07:43 2015 +0100

    Update security policy as agreed to include a new critical level, for
    background see associated blog post

-----------------------------------------------------------------------

Summary of changes:
 policies/secpolicy.html | 51 +++++++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/policies/secpolicy.html b/policies/secpolicy.html
index 832510d..e75ca67 100644
--- a/policies/secpolicy.html
+++ b/policies/secpolicy.html
@@ -12,7 +12,7 @@
 	  <header>
 	    <h2>Security Policy</h2>
 	    <h5>
-	      Last modified 7th September 2014
+	      Last modified 28th September 2015
 	    </h5>
 	</header>
 	  <div class="entry-content">
@@ -110,6 +110,36 @@
 	    We divide the issues into the following categories:</p>
 
 	    <ul>
+              <li><em>CRITICAL Severity.</em>
+              This affects common configurations and which are also likely to
+              be exploitable. Examples include significant disclosure of the
+              contents of server memory (potentially revealing user details),
+              vulnerabilities which can be easily exploited remotely to
+              compromise server private keys (excluding local, theoretical or
+              difficult to exploit side channel attacks) or where remote code
+              execution is considered likely in common situations.  These
+              issues will be kept private and will trigger a new release of
+              all supported versions.  We will attempt to address these as
+              soon as possible.</li>
+
+	      <li>
+              <em>HIGH Severity.</em>
+              This includes issues that are of a lower risk than critical,
+              perhaps due to affecting less common configurations, or which
+              are less likely to be exploitable.  These issues will be kept
+              private and will trigger a new release of all supported
+              versions.  We will attempt to keep the time these issues are
+              private to a minimum; our aim would be no longer than a month
+              where this is something under our control</li>
+              
+	      <li>
+	      <em>MODERATE Severity.</em>
+	      This includes issues like crashes in client applications,
+	      flaws in protocols that are less commonly used (such as DTLS),
+	      and local flaws.  These will in general be kept private until
+	      the next release, and that release will be scheduled so that it
+	      can roll up several such flaws at one time.</li>
+              
 	      <li>
 	      <em>LOW Severity.</em>
 	      This includes issues such as those that only affect the
@@ -120,23 +150,6 @@
 	      will update the vulnerabilities page and note the issue CVE in
 	      the changelog and commit message, but they may not trigger new
 	      releases.</li>
-	      <li>
-	      <em>MODERATE Severity.</em>
-	      This includes issues like crashes in client applications,
-	      flaws in protocols that are less commonly used (such as DTLS),
-	      and local flaws.  These will in general be kept private until
-	      the next release, and that release will be scheduled so that it
-	      can roll up several such flaws at one time.</li>
-	      <li><em>HIGH Severity.</em>
-	      This includes issues affecting common configurations which are
-	      also likely to be exploitable.  Examples include a server DoS, a
-	      significant leak of server memory, and remote code execution.
-	      These issues will be kept private and will trigger a new release
-	      of all supported versions.  We will attempt to keep the time
-	      these issues are private to a minimum; our aim would be no
-	      longer than a month where this is something under our control,
-	      and significantly quicker if there is a significant risk or we
-	      are aware the issue is being exploited.</li>
 	    </ul>
 
 	    <p>During the investigation of issues we may work with individuals
@@ -161,7 +174,7 @@
 	    to handle triaging our announcement and what it means to
 	    their organisation.</p>
 
-	    <p>For updates that include high severity issues we will
+	    <p>For updates that include critical or high severity issues we will
 	    also prenotify with more details and patches.  Our policy
 	    is to let the organisations that have a general purpose OS
 	    that uses OpenSSL have a few days notice in order to prepare
