OpenSSL adds 'Critical' severity level to security policy
The OpenSSL Project has updated its security policy to include a “Critical" severity level.
The OpenSSL Project said Monday that it had updated its security policy to include a “Critical" severity level.
The new distinction will be used to label vulnerabilities that affect "common use cases of OpenSSL" and with a high likelihood of being exploitable, according to a blog post.
Significant disclosure of the contents of server memory, vulnerabilities which can be easily exploited remotely to compromise server private keys, and those where remote code execution is considered likely in common situations are among the vulnerabilities that would meet critical severity criteria, the blog said. The new rating excluded local, theoretical or difficult to exploit side channel attacks.
Calling the previous top scoring level of “High” too broad, OpenSSL noted it covered issues ranging from denial-of-service (DDoS) to remote code execution. The change in policy is meant to help users prioritize patches when the organization announces the security levels in a “headsup” prior to the announcement of the vulnerabilities.