Crowd 2.0 : Crowd Security Advisories and Fixes
This page last changed on Oct 13, 2008 by smaddox.
This page has information on how to report any security bugs you might find in Crowd, and what we will do to fix the problem and announce the solution. On this page: Finding and Reporting a Security VulnerabilityIf you find a vulnerability in Crowd, please take the following steps to report it:
Please conduct all communication about the vulnerability through JIRA, so that we can keep track of the issue and get a patch out as soon as possible. Publication of Security AdvisoriesWhen a security issue is discovered in Crowd, we will resolve it as quickly as possible. Once we have a solution, we will let our customers know as follows:
Severity LevelsAtlassian security advisories include a severity level, rating the vulnerability as one of the following:
Below is a summary of the factors which we use to decide on the severity level, and the implications for your installation. Severity Level: CriticalWe classify a vulnerability as critical if most or all of the following are true:
Severity Level: HighWe give a high severity level to those vulnerabilities which have the potential to become critical, but have one or more mitigating factors that make exploitation less attractive to attackers. For example, given a vulnerability which has many characteristics of the critical severity level, we would give it a level of high if any of the following are true:
Note: If the mitigating factor arises from a lack of technical details, the severity level would be elevated to critical if those details later became available. If your installation is mission-critical, you may want to treat this as a critical vulnerability. Severity Level: ModerateWe give a moderate severity level to those vulnerabilities where the scales are slightly tipped in favour of the potential victim. The following vulnerabilities are typically rated moderate:
Severity Level: LowWe give a low severity level to those vulnerabilities which by themselves have typically very little impact on an organisation's infrastructure. Exploitation of such vulnerabilities usually requires local or physical system access. Exploitation may result in client-side privacy or denial of service issues and leakage of information about organisational structure, system configuration and versions, or network topology.
Patches and FixesWhen a security issue has been resolved, we will make the solution available as follows:
Published Security Advisories |
![]() |
Document generated by Confluence on Jul 30, 2009 01:29 |