Google Git
Sign in
go / website / f6415c7ce46a25fd6eb37cc4545eee0ccbba30df^! / .
commitf6415c7ce46a25fd6eb37cc4545eee0ccbba30df[log] [tgz]
authorRoland Shoemaker <roland@golang.org>Thu Oct 19 13:17:30 2023 -0400
committerGopher Robot <gobot@golang.org>Thu Jan 18 22:10:22 2024 +0000
treeecbbf2dfa6bbe5a23501ac5602fd8ec87e41ae9e
parent9776b4389302531fddfb4f190844af218c018f7b [diff]
_content/security: explain why no severity labels

Change-Id: I8ba0a75b9f0aecfafa923925c2533c166fa3f169
Reviewed-on: https://go-review.googlesource.com/c/website/+/536316
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>

diff --git a/_content/doc/security/policy.md b/_content/doc/security/policy.md
index 31872fc..a4b78c9 100644
--- a/_content/doc/security/policy.md
+++ b/_content/doc/security/policy.md

@@ -24,7 +24,7 @@
 within 90 days.
 
 If you have not received a reply to your email within 7 days, please follow up
-with the Go security team again at
+with the Go Security team again at
 [security@golang.org](mailto:security@golang.org). Please make sure the word
 **vulnerability** is in your email.
 
@@ -37,9 +37,25 @@
 ## Tracks
 
 Depending on the nature of your issue, it will be categorized by the Go
-security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
+Security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
 issues will be issued CVE numbers.
 
+The Go Security team does not assign traditional fine-grained severity labels
+(e.g CRITICAL, HIGH, MEDIUM, LOW) to security issues because severity depends
+highly on how a user is using the affected API or functionality.
+
+For example, the impact of a resource exhaustion issue in the `encoding/json`
+parser depends on what is being parsed. If the user is parsing trusted JSON
+files from their local filesystem, the impact is likely to be low. If the user
+is parsing untrusted arbitrary JSON from an HTTP request body, the impact may be
+much higher.
+
+That said, the following issue tracks do signal how severe and/or wide-reaching
+the Security team believes an issue to be. For example, an issue with medium to
+significant impact for many users is a PRIVATE track issue in this policy, and
+an issue with negligible to minor impact, or which affects only a small subset
+of users, is a PUBLIC track issue.
+
 ### PUBLIC
 
 Issues in the PUBLIC track affect niche configurations, have very limited