blob: 441c6714dda2e608021f8c43dba49afed12d60e3 [file] [log] [blame] [view]
Varun Khanejadf1bc00e2017-08-10 05:22:401# Severity Guidelines for Security Issues
2
3[TOC]
4
5Vendors shipping products based on Chromium might wish to rate the severity of
6security issues in the products they release. This document contains guidelines
7for how to rate these issues. Check out our
8[security release management page](https://www.chromium.org/Home/chromium-security/security-release-management)
9for guidance on how to release fixes based on severity.
10
Amy Ressler4e00f882022-02-24 18:03:4111Any significant mitigating factors will generally reduce an issue's severity by one or
12more levels:
13* Not web accessible, reliant solely on direct UI interaction to trigger.
14* Unusual or unlikely user interaction will normally reduce severity by one
15 level. This means interaction which may sometimes occur, but would not be
16 typical of an average user engaging with Chrome or a particular feature in
17 Chrome, nor could a user be easily convinced to perform by a persuasive web page.
18* Requiring profile destruction or browser shutdown will normally reduce
19 severity by one level.
Adrian Taylor850e6c02023-05-15 09:56:2520* [MiraclePtr protection](#TOC-MiraclePtr)
Amy Ressler4e00f882022-02-24 18:03:4121
22Bugs that require implausible interaction, interactions a user would not
23realistically be convinced to perform, will generally be downgraded to a
24functional bug and not considered a security bug.
Adrian Taylor44dbdc82020-01-07 01:49:1925
26Conversely, we do not consider it a mitigating factor if a vulnerability applies
27only to a particular group of users. For instance, a Critical vulnerability is
28still considered Critical even if it applies only to Linux or to those users
29running with accessibility features enabled.
30
31Also note that most crashes do not indicate vulnerabilities. Chromium is designed
32to crash in a controlled manner (e.g., with a ```__debugBreak```) when memory is
Varun Khanejadf1bc00e2017-08-10 05:22:4033exhausted or in other exceptional circumstances.
34
35
Chris Palmer32301112019-02-06 00:02:5636## Critical severity {#TOC-Critical-severity}
Varun Khanejadf1bc00e2017-08-10 05:22:4037
Chris Palmer5c330772019-05-24 23:32:4338Critical severity issues allow an attacker to read or write arbitrary resources
39(including but not limited to the file system, registry, network, et c.) on the
40underlying platform, with the user's full privileges.
Varun Khanejadf1bc00e2017-08-10 05:22:4041
42They are normally assigned priority **Pri-0** and assigned to the current stable
43milestone (or earliest milestone affected). For critical severity bugs,
44[SheriffBot](https://www.chromium.org/issue-tracking/autotriage) will
45automatically assign the milestone.
46
Chris Palmer91bab482019-07-17 00:05:3647**For critical severity vulnerabilities, we aim to deploy the patch to all
48Chrome users in under 30 days.**
Varun Khanejadf1bc00e2017-08-10 05:22:4049
50Critical vulnerability details may be made public in 60 days,
51in accordance with Google's general [vulnerability disclosure recommendations](https://security.googleblog.com/2010/07/rebooting-responsible-disclosure-focus.html),
52or [faster (7 days)](https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html)
53if there is evidence of active exploitation.
54
55Example bugs:
56
Daniel Cheng62a44a82019-09-09 22:15:3657* Memory corruption in the browser process ([319125](https://crbug.com/319125#c10)).
Varun Khanejadf1bc00e2017-08-10 05:22:4058* Exploit chains made up of multiple bugs that can lead to code execution
Chris Palmer5c330772019-05-24 23:32:4359 outside of the sandbox ([416449](https://crbug.com/416449)).
60* A bug that enables web content to read local files
61 ([962500](https://crbug.com/962500)).
Varun Khanejadf1bc00e2017-08-10 05:22:4062
63Note that the individual bugs that make up the chain will have lower severity
64ratings.
65
66
Chris Palmer32301112019-02-06 00:02:5667## High severity {#TOC-High-severity}
Varun Khanejadf1bc00e2017-08-10 05:22:4068
69High severity vulnerabilities allow an attacker to execute code in the context
Lukasz Anforowiczcb7b5142019-07-19 23:40:1670of, or otherwise impersonate other origins or read cross-origin data.
71Bugs which would normally be
Varun Khanejadf1bc00e2017-08-10 05:22:4072critical severity with unusual mitigating factors may be rated as high severity.
73For example, renderer sandbox escapes fall into this category as their impact is
74that of a critical severity bug, but they require the precondition of a
Adrian Taylor6f37ff32020-05-01 00:40:1475compromised renderer. (Bugs which involve using [MojoJS](../../mojo/public/js/README.md)
76to trigger an exploitable browser process crash usually fall into this category).
Amy Ressler4e00f882022-02-24 18:03:4177Another example are bugs that result in memory corruption in the browser
78process, which would normally be critical severity, but require browser shutdown
79or profile destruction, which would lower these issues to high severity. A
80bug with the precondition of browser shutdown or profile destruction should be
81considered to have a maximum severity of high and could potentially be
82reduced by other mitigating factors.
Varun Khanejadf1bc00e2017-08-10 05:22:4083
84They are normally assigned priority **Pri-1** and assigned to the current stable
85milestone (or earliest milestone affected). For high severity bugs,
86[SheriffBot](https://www.chromium.org/issue-tracking/autotriage) will
87automatically assign the milestone.
88
Chris Palmer91bab482019-07-17 00:05:3689**For high severity vulnerabilities, we aim to deploy the patch to all Chrome
90users in under 60 days.**
Varun Khanejadf1bc00e2017-08-10 05:22:4091
92Example bugs:
93
94* A bug that allows full circumvention of the same origin policy. Universal XSS
95bugs fall into this category, as they allow script execution in the context of
96an arbitrary origin ([534923](https://crbug.com/534923)).
97* A bug that allows arbitrary code execution within the confines of the sandbox,
Adrian Taylora9bbed862023-06-12 13:35:4398such as renderer or network process memory corruption (the GPU process is
99sandboxed only on some platforms, so if the bug impacts all Chromium platforms,
100it should be considered unsandboxed)
Varun Khanejadf1bc00e2017-08-10 05:22:40101([570427](https://crbug.com/570427), [468936](https://crbug.com/468936)).
102* Complete control over the apparent origin in the omnibox
103([76666](https://crbug.com/76666)).
104* Memory corruption in the browser process that can only be triggered from a
105compromised renderer, leading to a sandbox escape
106([469152](https://crbug.com/469152)).
107* Kernel memory corruption that could be used as a sandbox escape from a
108compromised renderer ([377392](https://crbug.com/377392)).
109* Memory corruption in the browser process that requires specific user
110interaction, such as granting a permission ([455735](https://crbug.com/455735)).
Lukasz Anforowicz33b14352019-09-20 21:57:58111* Site Isolation bypasses:
112 - Cross-site execution contexts unexpectedly sharing a renderer process
113 ([863069](https://crbug.com/863069), [886976](https://crbug.com/886976)).
114 - Cross-site data disclosure
115 ([917668](https://crbug.com/917668), [927849](https://crbug.com/927849)).
Varun Khanejadf1bc00e2017-08-10 05:22:40116
117
Chris Palmer32301112019-02-06 00:02:56118## Medium severity {#TOC-Medium-severity}
Varun Khanejadf1bc00e2017-08-10 05:22:40119
120Medium severity bugs allow attackers to read or modify limited amounts of
121information, or are not harmful on their own but potentially harmful when
122combined with other bugs. This includes information leaks that could be useful
123in potential memory corruption exploits, or exposure of sensitive user
Chris Palmer91bab482019-07-17 00:05:36124information that an attacker can exfiltrate. Bugs that would normally be rated
125at a higher severity level with unusual mitigating factors may be rated as
126medium severity.
Varun Khanejadf1bc00e2017-08-10 05:22:40127
128They are normally assigned priority **Pri-1** and assigned to the current stable
129milestone (or earliest milestone affected). If the fix seems too complicated to
130merge to the current stable milestone, they may be assigned to the next stable
131milestone.
132
133Example bugs:
134
135* An out-of-bounds read in a renderer process
136([281480](https://crbug.com/281480)).
137* An uninitialized memory read in the browser process where the values are
138passed to a compromised renderer via IPC ([469151](https://crbug.com/469151)).
139* Memory corruption that requires a specific extension to be installed
140([313743](https://crbug.com/313743)).
Amy Ressler4e00f882022-02-24 18:03:41141* Memory corruption in the browser process, triggered by a browser shutdown that
142 is not reliably triggered and/or is difficult to trigger ([1230513](https://crbug.com/1230513)).
143* Memory corruption in the browser process, requiring a non-standard flag and
144 user interaction ([1255332](https://crbug.com/1255332)).
Varun Khanejadf1bc00e2017-08-10 05:22:40145* An HSTS bypass ([461481](https://crbug.com/461481)).
146* A bypass of the same origin policy for pages that meet several preconditions
147([419383](https://crbug.com/419383)).
148* A bug that allows web content to tamper with trusted browser UI
149([550047](https://crbug.com/550047)).
150* A bug that reduces the effectiveness of the sandbox
151([338538](https://crbug.com/338538)).
152* A bug that allows arbitrary pages to bypass security interstitials
153([540949](https://crbug.com/540949)).
154* A bug that allows an attacker to reliably read or infer browsing history
155([381808](https://crbug.com/381808)).
156* An address bar spoof where only certain URLs can be displayed, or with other
157mitigating factors ([265221](https://crbug.com/265221)).
158* Memory corruption in a renderer process that requires specific user
159interaction, such as dragging an object ([303772](https://crbug.com/303772)).
160
161
Chris Palmer32301112019-02-06 00:02:56162## Low severity {#TOC-Low-severity}
Varun Khanejadf1bc00e2017-08-10 05:22:40163
164Low severity vulnerabilities are usually bugs that would normally be a higher
165severity, but which have extreme mitigating factors or highly limited scope.
166
167They are normally assigned priority **Pri-2**. Milestones can be assigned to low
168severity bugs on a case-by-case basis, but they are not normally merged to
169stable or beta branches.
170
171Example bugs:
172
173* Bypass requirement for a user gesture ([256057](https://crbug.com/256057)).
174* Partial CSP bypass ([534570](https://crbug.com/534570)).
175* A limited extension permission bypass ([169632](https://crbug.com/169632)).
176* An uncontrolled single-byte out-of-bounds read
177([128163](https://crbug.com/128163)).
178
Adrian Taylorb3f73122020-04-30 00:56:14179
Adrian Taylor364e9fd2020-11-04 22:41:11180## Can't impact Chrome users by default {#TOC-No-impact}
181
182If the bug can't impact Chrome users by default, this is denoted instead by
183the **Security-Impact_None** label. See
184[the security labels document](security-labels.md#TOC-Security_Impact-None)
185for more information. The bug should still have a severity set according
186to these guidelines.
187
188
Adrian Taylorb3f73122020-04-30 00:56:14189## Not a security bug {#TOC-Not-a-security-bug}
190
Varun Khanejadf1bc00e2017-08-10 05:22:40191The [security FAQ](faq.md) covers many of the cases that we do not consider to
Adrian Taylorb3f73122020-04-30 00:56:14192be security bugs, such as [denial of service](faq.md#TOC-Are-denial-of-service-issues-considered-security-bugs-)
193and, in particular, null pointer dereferences with consistent fixed offsets.
Adrian Taylorb1691a82022-08-23 18:54:37194
195
Adrian Taylor850e6c02023-05-15 09:56:25196## "MiraclePtr" protection against use-after-free {#TOC-MiraclePtr}
Adrian Taylorb1691a82022-08-23 18:54:37197
198["MiraclePtr"](../../base/memory/raw_ptr.md) is a technology designed to
199deterministically prevent exploitation of use-after-free bugs. Address
200sanitizer is aware of MiraclePtr and will report on whether a given
201use-after-free bug is protected or not:
202
203```
204MiraclePtr Status: NOT PROTECTED
205No raw_ptr<T> access to this region was detected prior to the crash.
206```
207
208or
209
210```
211MiraclePtr Status: PROTECTED
212The crash occurred while a raw_ptr<T> object containing a dangling pointer was being dereferenced.
213MiraclePtr should make this crash non-exploitable in regular builds.
214```
215
Amy Ressler304b2dd32023-10-26 17:30:40216MiraclePtr is now active on all Chrome platforms in non-renderer processes as of 118.
217Severity assessments are made with consideration of all active release channels (Dev, Beta, Stable, and Extended Stable);
218BRP is now enabled in all active release channels.
Adrian Taylor850e6c02023-05-15 09:56:25219
Amy Ressler304b2dd32023-10-26 17:30:40220If a bug is marked `MiraclePtr Status:PROTECTED`, it should be downgraded by one severity level.
221(For example, a bug that would previously be High severity would now be only Medium severity).