Severity Levels
Octopus Deploy security advisories contain a severity level of either critical, high, medium or low. The security level is based off a self-calculated CVSS V4.0 score, which is an industry standard vulnerability metric. We use the following severity rating system:
Please keep in mind these ratings do not take into account details of your specific installation and should be used only as a guide.
CVSS V4 Score Range | Severity Level | Remediation Time Frame |
---|---|---|
9.0 - 10.0 | Critical | 14 days |
7.0 - 8.9 | High | 30 days |
4.0 - 6.9 | Medium | 60 days |
0.1 - 3.9 | Low | 90 days |
Severity level: Critical
Vulnerabilities that score in the critical range usually have the following characteristics:
-
Exploitation of the vulnerability likely results in root-level compromise of the server.
-
Exploitation is usually straightforward meaning an attacker doesn’t need any authentication information and doesn’t need to persuade a target to perform an action such as using social engineering.
Severity level: High
Vulnerabilities that score in the high range usually have the following characteristics:
-
The vulnerability is difficult to exploit meaning an attacker may need an existing foothold.
-
Exploitation could result in elevated privilege within the application or on the server.
-
Exploitation could result in a significant data loss or downtime.
Severity level: Medium
Vulnerabilities that score in the medium range usually have the following characteristics:
-
Vulnerabilities that require the attacker to manipulate individual victims via social engineering.
-
Denial of service vulnerabilities that are difficult to set up.
-
Exploits that require an attacker to reside on the same local network as the victim.
-
Vulnerabilities where exploitation provides only very limited access.
-
Vulnerabilities that require user privileges for successful exploitation.
Severity level: Low
Vulnerabilities in the low range typically have little impact on a business. Exploitation of low level vulnerabilities may only provide information about a system or require the attacker to have local or physical access to a device to exploit.