Add class B3 and an example for C1 to the taxonomy
Be more explicit that OSSA does not cover vulnerabilities in experimental features, backends and drivers by adding a new class B3 for these in the taxonomy. Also clarify that vulnerabilities relying on UUID guessing are considered impractical, as an example for class C1. Change-Id: Ie73dfb0358913e6bdfeba56e6105f8156382d042
This commit is contained in:
parent
c90436cc33
commit
75267d110b
|
@ -183,9 +183,13 @@ warrant an advisory.
|
|||
| | | yet, security note for all versions, |
|
||||
| | | e.g., poor architecture / design |
|
||||
+----------+-----------+-------------------------------------------+
|
||||
| Class B3 | OSSN | A vulnerability in experimental or |
|
||||
| | | debugging features not intended for |
|
||||
| | | production use |
|
||||
+----------+-----------+-------------------------------------------+
|
||||
| Class C1 | Potential | Not considered a practical vulnerability |
|
||||
| | OSSN | (but some people might assign a CVE for |
|
||||
| | | it) |
|
||||
| | | it), e.g. one depending on UUID guessing |
|
||||
+----------+-----------+-------------------------------------------+
|
||||
| Class C2 | Potential | A vulnerability, but not in OpenStack |
|
||||
| | OSSN | supported code, e.g., in a dependency |
|
||||
|
|
Loading…
Reference in New Issue