_content/security: explain why no severity labels
Change-Id: I8ba0a75b9f0aecfafa923925c2533c166fa3f169
Reviewed-on: https://go-review.googlesource.com/c/website/+/536316
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
diff --git a/_content/doc/security/policy.md b/_content/doc/security/policy.md
index 31872fc..a4b78c9 100644
--- a/_content/doc/security/policy.md
+++ b/_content/doc/security/policy.md
@@ -24,7 +24,7 @@
within 90 days.
If you have not received a reply to your email within 7 days, please follow up
-with the Go security team again at
+with the Go Security team again at
[security@golang.org](mailto:security@golang.org). Please make sure the word
**vulnerability** is in your email.
@@ -37,9 +37,25 @@
## Tracks
Depending on the nature of your issue, it will be categorized by the Go
-security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
+Security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
issues will be issued CVE numbers.
+The Go Security team does not assign traditional fine-grained severity labels
+(e.g CRITICAL, HIGH, MEDIUM, LOW) to security issues because severity depends
+highly on how a user is using the affected API or functionality.
+
+For example, the impact of a resource exhaustion issue in the `encoding/json`
+parser depends on what is being parsed. If the user is parsing trusted JSON
+files from their local filesystem, the impact is likely to be low. If the user
+is parsing untrusted arbitrary JSON from an HTTP request body, the impact may be
+much higher.
+
+That said, the following issue tracks do signal how severe and/or wide-reaching
+the Security team believes an issue to be. For example, an issue with medium to
+significant impact for many users is a PRIVATE track issue in this policy, and
+an issue with negligible to minor impact, or which affects only a small subset
+of users, is a PUBLIC track issue.
+
### PUBLIC
Issues in the PUBLIC track affect niche configurations, have very limited