Severity Levels

Octopus Deploy security advisories contain a severity level of either critical, high, medium or low. The security level is based off a self-calculated CVSS V4.0 score, which is an industry standard vulnerability metric. We use the following severity rating system:

Please keep in mind these ratings do not take into account details of your specific installation and should be used only as a guide.

CVSS V4 Score Range Severity Level Remediation Time Frame
9.0 - 10.0 Critical 14 days
7.0 - 8.9 High 30 days
4.0 - 6.9 Medium 60 days
0.1 - 3.9 Low 90 days

Severity level: Critical

Vulnerabilities that score in the critical range usually have the following characteristics:

  • Exploitation of the vulnerability likely results in root-level compromise of the server.

  • Exploitation is usually straightforward meaning an attacker doesn’t need any authentication information and doesn’t need to persuade a target to perform an action such as using social engineering.

Severity level: High

Vulnerabilities that score in the high range usually have the following characteristics:

  • The vulnerability is difficult to exploit meaning an attacker may need an existing foothold.

  • Exploitation could result in elevated privilege within the application or on the server.

  • Exploitation could result in a significant data loss or downtime.

Severity level: Medium

Vulnerabilities that score in the medium range usually have the following characteristics:

  • Vulnerabilities that require the attacker to manipulate individual victims via social engineering.

  • Denial of service vulnerabilities that are difficult to set up.

  • Exploits that require an attacker to reside on the same local network as the victim.

  • Vulnerabilities where exploitation provides only very limited access.

  • Vulnerabilities that require user privileges for successful exploitation.

Severity level: Low

Vulnerabilities in the low range typically have little impact on a business. Exploitation of low level vulnerabilities may only provide information about a system or require the attacker to have local or physical access to a device to exploit.