How Opera Software rates security issues
When publishing advisories or details of fixes for security issues that have been uncovered in our products, we rate them according to the potential impact of the issue. To aid understanding, we use terms that are consistent with the terms used by other software vendors. These are applied appropriately to the types of security issue that are relevant to our products. Older advisories used alternative terms, which are also given below.
There are four severity levels that are used for issues that have what we consider to be a security impact. In rare cases, an advisory may also be issued for a bug that has no security impact at all. This gives the final rating, which shows that it is not a security issue. These ratings are typically used in advisories or changelogs.
The terms we use to rate security issues are as follows:
The following sections give examples of the types of issue that would fall into each rating.
(Older terms used: extremely severe)
- Issues that allow an attacker to run executable code of their choice on the machine, with ease, and without assistance from the user.
(Older terms used: highly severe)
- Issues that allow an attacker to run executable code of their choice on the machine, with great difficulty, or requiring significant user interaction.
- Read-only access to files on the user's file system.
- Cross-site scripting on arbitrary sites, script insertion, or being able to read cookies from other domains.
- Getting Opera to reveal passwords for other sites.
- General leaks of confidential data.
- Manipulating the data store for an unrelated widget.
- Remote read-only access to all Opera Unite settings and data, or write access to some.
- Denial of service (DoS) that disables the operating system so severely that a reinstallation is needed, with possible loss of data.
(Older terms used: moderately severe)
- Being able to fake SSL information, or get Opera to accept invalid SSL information.
- Spoofing the address bar and all other related UI, such as IDN spoofing, so that SSL information can show the spoofed domain as well.
- Being able to hijack someone else's Opera Unite account.
- Denial of service (DoS) that disables the operating system until it is restarted or fixed using common system tools.
- Cases where a potentially more severe exploit requires specific but relatively popular reconfigurations, or significant user interaction.
(Older terms used: less severe)
- Denial of service (DoS) that disables Opera, even when selecting different startup options, until it is reinstalled or has its configuration files manually edited.
- Spoofing only the address bar, but not any other related security UI.
- Confusing security UI.
- Privacy leaks about non-confidential data, such as dates visited, cached files, visited history, etc.
- A crash or other attack that can be triggered with certain HTTP requests on most or all Unite services, to disable that service until it is reconfigured or restarted.
- Cases where a potential exploit requires multiple manual steps or reconfigurations, particularly to obscure settings, so users are unlikely to ever be affected.
(Older terms used: not severe)
- Bugs that have been reported externally as exploitable but actually have no security impact, such as simple stability bugs that have been incorrectly reported as a denial of service or a way to execute code.
- Cases where a potential exploit requires very significant user interaction and social engineering, or where the user must ignore security UI.
- Issues with Fraud and Malware Protection. Fraud and Malware Protection offers protection in layers, and while we strive to make it as useful as possible, it should never be trusted as the only line of defense. Most issues with Fraud and Malware Protection itself are not sufficient to exploit users.
- Issues with private browsing. Private browsing - using private tabs or windows - is designed to not leave any traces of browsing activity behind after the user exits the browser. While this is useful for matters of privacy, private browsing should not be relied upon for security.
For more details of what we consider a security issue, see our previous article. For details of how we handle security issues that are reported to us, see our security policy. Security issues can be reported securely through the Opera bug tracking system (recommended) or email.