These are the severity guidelines for Chrome OS Security Issues. They are related to to the Severity Guidelines for Chrome Security Issues. One key difference between the Chrome and Chrome OS security models is that Chrome OS needs to protect against physically local attackers in certain cases, such as at the lock screen.
Critical severity issues breach vital security boundaries. The following boundaries are considered critical:
They are normally assigned priority Pri-0 and assigned to the current stable milestone (or earliest milestone affected). For critical severity bugs, SheriffBot will automatically assign the milestone.
For critical vulnerabilities in the Chrome browser, we aim to release a fix no later than seven days after the vulnerability is fixed in the Chrome desktop stable channel. For all other critical vulnerabilities, we aim release a fix in under 14 days.
Critical vulnerability details may be made public in 60 days, in accordance with Google's general vulnerability disclosure recommendations, or faster (7 days), if there is evidence of active exploitation.
A typical type of critical vulnerability on Chrome OS is an exploit chain comprising individual bugs that allows persistent root access on a machine, even in guest mode (crbug.com/766253).
For a critical severity exploit chain, releasing a fix that breaks the chain, that is, a fix that resolves one of the links in the exploit chain, is enough to consider the exploit chain fixed in the stable channel.
Note that the individual bugs that make up the chain will have lower severity ratings.
A high severity bug allows code execution in a sandboxed process. Bugs which would normally be critical severity may be rated as high severity when mitigating factors exist. These include:
The above might be generalized to: bugs that allow bypassing of protection domains are rated as High severity. A Chrome sandbox escapes allows bypassing the Chrome sandbox. A bug that allows code execution as the chronos
user would also be rated High severity. The individual bug that allows kernel code execution from root (or a regular user) would be rated High severity. The bug that allows for exploit persistence given root access would be rated High severity as well.
In general, these are the bypasses we consider High-severity bugs:
chronos
user code executionchronos
/unprivileged user native code execution to root
(or other more privileged user, such as system service users) code executionFull chain exploits don‘t always need to break all these layers. For example, most persistent exploitation chains don’t need a kernel bug.
They are normally assigned priority Pri-1 and assigned to the current stable milestone (or earliest milestone affected). For high severity bugs, SheriffBot will automatically assign the milestone.
For high severity vulnerabilities, we aim to release a fix in under 30 days.
Medium severity bugs allow attackers to read or modify limited amounts of information, or are not harmful on their own but potentially harmful when combined with other bugs. This includes information leaks that could be useful in potential memory corruption exploits, or exposure of sensitive user information that an attacker can exfiltrate. Bugs that would normally rated at a higher severity level with unusual mitigating factors may be rated as medium severity.
Examples of medium severity bugs include:
They are normally assigned priority Pri-1 and assigned to the current stable milestone (or earliest milestone affected). If the fix seems too complicated to merge to the current stable milestone, they may be assigned to the next stable milestone.
Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or highly limited scope.
Example bugs:
They are normally assigned priority Pri-2. Milestones can be assigned to low severity bugs on a case-by-case basis, but they are not normally merged to stable or beta branches.
Security Impact labels are used to identify what release a particular security bug is present in.
Security_Impact-None
is used in the following cases:
Some bugs are commonly reported as security bugs but are not actually considered security relevant. When triaging a bug that is determined to not be a security issue, re-classify as Type=Bug, and assign it to a relevant component or owner.
These bugs are often: