These are the severity guidelines for Chrome OS Security Issues. They are related to to the Severity Guidelines for Chrome Security Issues. One key difference between the Chrome and Chrome OS security model is that Chrome OS needs to protect against physically local attackers in certain cases, such as at the lockscreen.
Critical severity issues breach vital security boundaries. The following boundaries are considered critical:
They are normally assigned priority Pri-0 and assigned to the current stable milestone (or earliest milestone affected). For critical severity bugs, SheriffBot will automatically assign the milestone.
For critical vulnerabilities, we aim to deploy the patch to all Chrome OS users in under 30 days.
Critical vulnerability details may be made public in 60 days, in accordance with Google's general vulnerability disclosure recommendations, or faster (7 days), if there is evidence of active exploitation.
A typical type of critical vulnerability on Chrome OS is an exploit chain comprising individual bugs that allows persistent root access on a machine, even on guest mode (766253).
Note that the individual bugs that make up the chain will have lower severity ratings.
A high severity bug allows code execution in a sandboxed process. Bugs which would normally be critical severity with mitigating factors may be rated as high severity. Mitigating factors include:
The above might be generalized to: bugs that allow bypassing of protection domains are rated as High severity. A Chrome sandbox escapes allows bypassing the Chrome sandbox. A bug that allows code execution as the chronos user would also be rated High severity. The individual bug that allows kernel code execution from root (or a regular user) would be rated High severity. The bug that allows for exploit persistence given root access would be rated High severity as well.
In general, these are the layers of protection whose bypasses we consider High-severity bugs:
chronos
user code executionFull chain exploits don‘t always need to break all these layers. For example, most persistent exploitation doesn’t need a kernel exploit.
They are normally assigned priority Pri-1 and assigned to the current stable milestone (or earliest milestone affected). For high severity bugs, SheriffBot will automatically assign the milestone.
For high severity vulnerabilities, we aim to deploy the patch to all Chrome users in under 60 days.
Medium severity bugs allow attackers to read or modify limited amounts of information, or are not harmful on their own but potentially harmful when combined with other bugs. This includes information leaks that could be useful in potential memory corruption exploits, or exposure of sensitive user information that an attacker can exfiltrate. Bugs that would normally rated at a higher severity level with unusual mitigating factors may be rated as medium severity.
Examples of medium severity bugs include:
They are normally assigned priority Pri-1 and assigned to the current stable milestone (or earliest milestone affected). If the fix seems too complicated to merge to the current stable milestone, they may be assigned to the next stable milestone.
Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or highly limited scope.
Example bugs:
They are normally assigned priority Pri-2. Milestones can be assigned to low severity bugs on a case-by-case basis, but they are not normally merged to stable or beta branches.
Some bugs are commonly reported as security bugs but are not actually considered security relevant. When triaging a bug that is determined to not be a security issue, re-classify as Type=Bug, and assign it to a relevant component or owner.
These bugs are often: