This page last changed on Nov 13, 2009 by edawson.

Severity Levels

Atlassian security advisories include a severity level, rating the vulnerability as one of the following:

  • Critical
  • High
  • Moderate
  • Low

Below is a summary of the factors which we use to decide on the severity level, and the implications for your installation.

Severity Level: Critical

We classify a vulnerability as critical if most or all of the following are true:

  • Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices.
  • The information required in order to exploit the vulnerability, such as example code, is widely available to attackers.
  • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
Severity Level: High

We give a high severity level to those vulnerabilities which have the potential to become critical, but have one or more mitigating factors that make exploitation less attractive to attackers.

For example, given a vulnerability which has many characteristics of the critical severity level, we would give it a level of high if any of the following are true:

  • The vulnerability is difficult to exploit.
  • Exploitation does not result in elevated privileges.
  • The pool of potential victims is very small.

Note: If the mitigating factor arises from a lack of technical details, the severity level would be elevated to critical if those details later became available. If your installation is mission-critical, you may want to treat this as a critical vulnerability.

Severity Level: Moderate

We give a moderate severity level to those vulnerabilities where the scales are slightly tipped in favour of the potential victim.

The following vulnerabilities are typically rated moderate:

  • Denial of service vulnerabilities, since they do not result in compromise of a target.
  • Exploits that require an attacker to reside on the same local network as the victim.
  • Vulnerabilities that affect only nonstandard configurations or obscure applications.
  • Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
  • Vulnerabilities where exploitation provides only very limited access.
Severity Level: Low

We give a low severity level to those vulnerabilities which by themselves have typically very little impact on an organisation's infrastructure.

Exploitation of such vulnerabilities usually requires local or physical system access. Exploitation may result in client-side privacy or denial of service issues and leakage of information about organisational structure, system configuration and versions, or network topology.

Original ranking compiled by the SANS Institute
Our vulnerability ranking is based on a scale originally published by the SANS Institute.

Further reading

See How to Get Legendary Support from Atlassian for more support-related information.

Document generated by Confluence on Jul 29, 2010 20:01