Security Levels

You are here:
< Back

Overview

This document explains the security levels for advisories that we post on our Security page.

As of TSR-2017-0002, we use the Common Vulnerability Scoring System version 3 (CVSSv3) to score vulnerabilities. When we disclose a vulnerability, we provide the vulnerability’s CVSSv3 Base Score and its Base Vector. You can use the CVSSv3 Base Vector to determine the complete CVSSv3 score.

Base Score and Base Metrics

The Base Score is a numeric value that ranges from 1 to 10, and increases as vulnerability levels increase. A value of 10 indicates the most severe vulnerabilities. The Base Metrics are vulnerability characteristics that remain constant regardless of changes in time or user environments.

To calculate the Base Score, assign values to the Base Metrics. For information about how to calculate base scores, visit first.org‘s A Complete Guide to the CVSSv3 documentation.

Base Vector

The Base Vector describes the components from which the Base Score is calculated. Base Vectors display in the following structure:

(CVSS:3.0/AV:[L,A,N,P]/AC:[L,H]/PR:[N,L,H]/UI:[N,R]/S:[U,C]/C:[N,L,H]/I:[N,L,H]/A:[N,L,H])

You must choose one option for each set of brackets.

  • Metrics that the brackets do not contain are mandatory, and you must include them to create a valid CVSS vector.
  • Each letter or pair of letters represents a metric or metric value within CVSS.

The table below defines each Base Vector metric and their possible values:

Metric
Description
Possible values
Metric
Description
Possible values
AV A vulnerability’s network exploit level.
  • L — Local access
  • A — Adjacent network
  • N — Network
  • P — Physical
AC A vulnerability’s required attack complexity.
  • L — Low
  • H — High
PR A vulnerability’s required account authentication level.
  • N — None required
  • L — Requires low privileges
  • H — Requires high privileges
UI A vulnerability’s requirement that another user performs an action.
  • N — None required
  • R — Successful attack requires user interaction
S A vulnerability’s impact to systems beyond the vulnerable component
  • U — Impact is localized to the exploitable component
  • C — Impacts cause to systems beyond the vulnerable component
C A vulnerability’s information confidentiality impact.
  • N — None
  • L — Low
  • H — High
I A vulnerability’s account integrity impact.
  • N — None
  • L — Low
  • H — High
A A vulnerability’s account availability impact.
  • N — None
  • L — Low
  • H — High

Legacy Security Levels

For information about security levels prior to TSR-2017-0002, read our Legacy Security Levels documentation.

Last Updated On July 31, 2018

Leave a Reply

Your email address will not be published.