@@ -24,7 +24,7 @@ with the progress until resolution. Your issue will be fixed or made public
2424within 90 days.
2525
2626If you have not received a reply to your email within 7 days, please follow up
27- with the Go security team again at
27+ with the Go Security team again at
2828[ security@golang.org ] ( mailto:security@golang.org ) . Please make sure the word
2929** vulnerability** is in your email.
3030
@@ -37,9 +37,25 @@ report a technical security or an abuse risk related bug in a Google product
3737## Tracks
3838
3939Depending on the nature of your issue, it will be categorized by the Go
40- security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
40+ Security team as an issue in the PUBLIC, PRIVATE, or URGENT track. All security
4141issues will be issued CVE numbers.
4242
43+ The Go Security team does not assign traditional fine-grained severity labels
44+ (e.g CRITICAL, HIGH, MEDIUM, LOW) to security issues because severity depends
45+ highly on how a user is using the affected API or functionality.
46+
47+ For example, the impact of a resource exhaustion issue in the ` encoding/json `
48+ parser depends on what is being parsed. If the user is parsing trusted JSON
49+ files from their local filesystem, the impact is likely to be low. If the user
50+ is parsing untrusted arbitrary JSON from an HTTP request body, the impact may be
51+ much higher.
52+
53+ That said, the following issue tracks do signal how severe and/or wide-reaching
54+ the Security team believes an issue to be. For example, an issue with medium to
55+ significant impact for many users is a PRIVATE track issue in this policy, and
56+ an issue with negligible to minor impact, or which affects only a small subset
57+ of users, is a PUBLIC track issue.
58+
4359### PUBLIC
4460
4561Issues in the PUBLIC track affect niche configurations, have very limited
0 commit comments