The severity and security impact of an issue is assessed independently by the appropriate product engineering team. This is explained in our Security Update Guide entry. The CVSS scoring system doesn’t allow for this type of nuance.
Our severity rating differs from the CVSS rating because of the amount of interactions or preconditions required to exploit the reported vulnerabilities. “There was no “downgrade” that took place with our severity assessment on these vulnerabilities. I reached out to Microsoft for a statement regarding the severity rating of vulnerabilities in Edge and here is what a spokesperson said: It wouldn't be overly surprising if others did come to that conclusion, however.
I'm absolutely sure the decision isn't influenced by the fact that a critical sandbox escaping bug would bring a reward of between $20,000 and $30,000 whereas a moderate one drops to just $5,000 maximum and possibly as low as $1,000.
0 kommentar(er)
