[Reportbug-maint] Bug#762232: reportbug: has no good category for web apps exploitability

[Toni Mueller]

Hello Sandro,

On Fri, Sep 19, 2014 at 09:05:08PM +0100, Sandro Tosi wrote:
> > Please consider assigning an appropriate category to this kind of
> > problem and offer the user to set the security tag on the affected
> > report.
> 
> Can you please clarify what is this "category" you're describing? is
> it an additional severity (like "critical", "grave", "minor", etc) or
> a tag (like "ipv6", "lfs", etc)?

I was unsure where to put it, and reading the categories' descriptions,
nothing seemed to fit: Such a problem usually does not introduce a local
root and also not a local user exploit, as far as I can see, as usually
only unrelated third parties are directly affected - and the user who
runs such software will only be indirectly affected by having his site
appear on various lists he might not want to be on, damaging his
reputation. These are the descriptions associated with grave and
serious. Whether one would want an additional category, or alter the
definition of one of the existing categories to cover this case, I am
indifferent to that, but if we are going the latter route, a specific
tag would be nice.

> From what you describe, I think the right categorization for now is:
> severity=critical, tags=security - what would be the advantage of
> introducing a more fine grained categorization for those issues?

To me, "critical" seemed to be reserved for root exploits. But the
attacker does not gain root, and may not even be able to alter any data
on the computer, while still using a computer with the vulnerable
software to cause harm to unrelated third parties.


Kind regards,
--Toni++