Following up on Rohit's comments that reachability and privileges_required have significant overlap, does it make sense to update these fields in the template? around 90% of reviewed vulns are marked as Local, and privileges_required is currently 'high/low/normal/false/no/true/yes'
I would propose to combine these fields into one:
privileges_required:
normal user # effectively Local today
| root # for secure boot or vm escape
| CAP_* # specific capabilities required like CAP_NET_ADMIN
| session network # for vulnerabilities involving sessions (RPC)
| network # for vulnerabilities that don't require sessions (UDP, network stack)
| physical # physical access to the device required, i.e. USB
Should there be additional qualifications for vm-oriented vulnerabilities? That's less of an issue today, but eventually we may have confidential compute style vulnerabilities where privileges_required: hypervisor may be a valid description?
Originally posted by @rkeshri-RH in #14
Following up on Rohit's comments that reachability and privileges_required have significant overlap, does it make sense to update these fields in the template? around 90% of reviewed vulns are marked as Local, and privileges_required is currently 'high/low/normal/false/no/true/yes'
I would propose to combine these fields into one:
privileges_required:
normal user # effectively Local today
| root # for secure boot or vm escape
| CAP_* # specific capabilities required like CAP_NET_ADMIN
| session network # for vulnerabilities involving sessions (RPC)
| network # for vulnerabilities that don't require sessions (UDP, network stack)
| physical # physical access to the device required, i.e. USB
Should there be additional qualifications for vm-oriented vulnerabilities? That's less of an issue today, but eventually we may have confidential compute style vulnerabilities where
privileges_required: hypervisormay be a valid description?Originally posted by @rkeshri-RH in #14