[Secure-testing-team] Severity for browser-based attacks

[Moritz Muehlenhoff]

Florian Weimer wrote:
> Are browser bugs which can result in arbitrary code execution after
> visting a web page still "medium", or should we assign "high" to them?
>
> My hunch is that the free lunch is over as far as Mozilla's code base
> is concerned, and that these bugs begin to pose real risks (soon
> comparable to those PHP application bugs).

We should use "high", although we still have the benefit, that nowadays
the Windows Firefoxen exceed the installed base on GNU/Linux, so attacks
are still more likely to be slainted at Windows.

Cheers,
        Moritz