Update security bug severity guidelines to categorize exploitable GPU
process bugs as critical severity when reachable directly from web
content.

Change-Id: I7acd2938651f6bfdf09cf15737bab28bda822219
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4934130
Commit-Queue: Chris Bookholt <[email protected]>
Reviewed-by: danakj <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1229375}
diff --git a/docs/security/severity-guidelines.md b/docs/security/severity-guidelines.md
index 441c6714..fcde175 100644
--- a/docs/security/severity-guidelines.md
+++ b/docs/security/severity-guidelines.md
@@ -36,7 +36,7 @@
 ## Critical severity {#TOC-Critical-severity}
 
 Critical severity issues allow an attacker to read or write arbitrary resources
-(including but not limited to the file system, registry, network, et c.) on the
+(including but not limited to the file system, registry, network, etc.) on the
 underlying platform, with the user's full privileges.
 
 They are normally assigned priority **Pri-0** and assigned to the current stable
@@ -55,6 +55,9 @@
 Example bugs:
 
 * Memory corruption in the browser process ([319125](https://crbug.com/319125#c10)).
+* Memory corruption in the GPU process when it is reachable directly from web
+  content without compromising the renderer.
+  ([1420130](https://crbug.com/1420130), [1427865](https://crbug.com/1427865))
 * Exploit chains made up of multiple bugs that can lead to code execution
   outside of the sandbox ([416449](https://crbug.com/416449)).
 * A bug that enables web content to read local files
@@ -95,19 +98,19 @@
 bugs fall into this category, as they allow script execution in the context of
 an arbitrary origin ([534923](https://crbug.com/534923)).
 * A bug that allows arbitrary code execution within the confines of the sandbox,
-such as renderer or network process memory corruption (the GPU process is
-sandboxed only on some platforms, so if the bug impacts all Chromium platforms,
-it should be considered unsandboxed)
+such as memory corruption in the renderer process
 ([570427](https://crbug.com/570427), [468936](https://crbug.com/468936)).
 * Complete control over the apparent origin in the omnibox
 ([76666](https://crbug.com/76666)).
-* Memory corruption in the browser process that can only be triggered from a
-compromised renderer, leading to a sandbox escape
-([469152](https://crbug.com/469152)).
+* Memory corruption in the browser or another high privileged process (e.g. GPU
+  or network process), that can only be triggered from a compromised renderer,
+  leading to a sandbox escape ([1393177](https://crbug.com/1393177),
+  [1421268](crbug.com/1421268)).
 * Kernel memory corruption that could be used as a sandbox escape from a
 compromised renderer ([377392](https://crbug.com/377392)).
-* Memory corruption in the browser process that requires specific user
-interaction, such as granting a permission ([455735](https://crbug.com/455735)).
+* Memory corruption in the browser or another high privileged process (e.g. GPU
+  or network process) that requires specific user interaction, such as granting
+  a permission ([455735](https://crbug.com/455735)).
 * Site Isolation bypasses:
     - Cross-site execution contexts unexpectedly sharing a renderer process
       ([863069](https://crbug.com/863069), [886976](https://crbug.com/886976)).