Security Bug Fix Policy


This document describes how and when we fix security bugs. It does not describe the complete security process (see Information Security Policy).

Severity of Security Bugs

  • Critical severity - Critical severity issues allow an attacker to read or write arbitrary resources of the underlying application with the full privileges of an administrator. - To be fixed within 1 Week
  • High severity - High severity issues allow an attacker to run code in the context of other origins, or otherwise impersonate other origins or read cross-origin data. - To be fixed within 2 Weeks
  • Medium severity - Medium severity issues allow attackers to read or modify information from only one part of the application, or are not harmful on their own but potentially harmful when combined with other issues. - To be fixed within 4 Weeks
  • Low severity - Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or highly limited scope. - To be fixed within 8 Weeks