[Reportbug-maint] Bug#762232: reportbug: has no good category for web apps exploitability

[Sandro Tosi]

Hello Toni,
thanks for your report

> as the number of packaged web papplications increases, reportbug should
> imho have a category that is designated to be appropriate for cases
> where the problem does not allow compromising a local user or gaining
> root, but where the application would make the host prone to carrying
> out attacks on third party hosts, on behalf of the attacker. As an
> example, installing malware to cause drive-by downloads may be
> mentioned - usually, the host itself might not be otherwise affected by
> the additional files it would serve.
>
> Please consider assigning an appropriate category to this kind of
> problem and offer the user to set the security tag on the affected
> report.

Can you please clarify what is this "category" you're describing? is
it an additional severity (like "critical", "grave", "minor", etc) or
a tag (like "ipv6", "lfs", etc)?

>From what you describe, I think the right categorization for now is:
severity=critical, tags=security - what would be the advantage of
introducing a more fine grained categorization for those issues?

Regards,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi