Version: 1.2 Updated: September 25th 2017
Each vulnerability is associated with a security risk rating of Critical, High, Medium or Low. Following are brief descriptions of these ratings. Please note that there will be vulnerabilities that don't fit the descriptions provided in this document and will require a specific judgement call. In our sole discretion, we will make reasonable attempts to adhere to the following rating levels.
Remote code execution, remote permanent denial of service (inoperability), bypassing or disabling critical security measures.
Critical vulnerabilities may allow an attacker to gain control of the device remotely, typically by sending a malicious input that is received and processed by the device. A vulnerability that permits an attack that may cause a device to stop functioning also falls into this category. In this case, a vulnerable device normally cannot be recovered from a hardware reset or will require an engineering procedure for recovery. Vulnerabilities that allow bypassing or disabling of a critical security mechanism, either locally or remotely, are also covered by this category. Examples include full compromises of a secure execution environment and secure boot bypasses.
Local privilege escalation, access to confidential device information or other confidential user information maintained on device, temporary remote denial-of-service attacks.
High vulnerabilities may allow an unprivileged attacker to escalate privileges from a local execution context, and to execute arbitrary code and allow access to confidential device information including device secrets, security settings, and user confidential data via local access. This category also includes vulnerabilities that may allow an attacker to remotely (without any user assistance) cause the device to crash and/or reboot, i.e., temporary denial-of-service attacks. Examples of confidential device information may include the device A-key or SIM-lock information and contents of secure storage, including DRM keys and GPS information.
Medium vulnerabilities may allow an attacker to achieve similar impact to high-rated ones, but require additional user interaction or another vulnerability to work together, e.g., local privilege escalation attacks that require an elevated privilege above normal user privileges as a prerequisite. Additionally, this category includes vulnerabilities that may allow an attacker to access sensitive, but not security-critical device configuration information from the host without authorization, e.g., exact device or firmware versions, IMEI, or phone number (which could be further used by an attacker to identify vulnerabilities specific to the device). Accordingly, these vulnerabilities potentially enable an attacker to mount more dangerous attacks.
Low vulnerabilities are security vulnerabilities that do not directly cause harm to the user or the device. They include access to general information such as general device settings or device-specific details such as device manufacturer, model, or HLOS in use. Vulnerabilities that do not qualify for any of the above categories, but that may add to the overall impact of another vulnerability, also fall into this category. This category also includes Defense-in-Depth issues that do not have an attack vector at the time of issue discovery, but improved code can mitigate the attack if other defense measures are rendered ineffective.
September 25th 2017