Octopus Deploy security advisories contain a severity level of either critical, high, medium or low. The security level is based off a self-calculated CVSS V3 score, which is an industry standard vulnerability metric. We use the following severity rating system:

CVSS V3 Score Range	Severity Level	Remediation Time Frame
9.0 - 10.0	Critical	14 days
7.0 - 8.9	High	30 days
4.0 - 6.9	Medium	60 days
0.1 - 3.9	Low	90 days

Severity level: Critical

Vulnerabilities that score in the critical range usually have the following characteristics:

• Exploitation of the vulnerability likely results in root-level compromise of the server.

• Exploitation is usually straightforward meaning an attacker doesn’t need any authentication information and doesn’t need to persuade a target to perform an action such as using social engineering.

Severity level: High

Vulnerabilities that score in the high range usually have the following characteristics:

• The vulnerability is difficult to exploit meaning an attacker may need an existing foothold.

• Exploitation could result in elevated privilege within the application or on the server.

• Exploitation could result in a significant data loss or downtime.

Severity level: Medium

Vulnerabilities that score in the medium range usually have the following characteristics:

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering.

• Denial of service vulnerabilities that are difficult to set up.

• Exploits that require an attacker to reside on the same local network as the victim.

• Vulnerabilities where exploitation provides only very limited access.

• Vulnerabilities that require user privileges for successful exploitation.

Severity level: Low

Vulnerabilities in the low range typically have little impact on a business. Exploitation of low level vulnerabilities may only provide information about a system or require the attacker to have local or physical access to a device to exploit.