Each issue is has a risk score consisting of the three main aspects of security (Confidentiality, Integrity and Availability) categorized from None to Critical.

Aspects of security

Confidentiality: An attacker can read internal or sensitive data, like passwords, software versions, etc.

Integrity: An attacker can modify data on your system, like bank account details, DNS entries, etc.

Availability: An attacker may impact the availability of your systems, e.g. by deleting files or overloading your systems.

Severity

riskscores

5 - Critical

Impact: There is critical impact on security. An attacker can compromise the systems with low effort.
Recommended resolution time: We recommend resolving this issue immediately, at latest within one week.

4 - High

Impact: The issue has severe impact on your systems and may be abused by attackers with manageable effort.
Recommended resolution time: We recommend resolving this issue within one week.

3 - Medium

Impact: The issue may be abused by attackers in targeted or multi-stage attacks.
Recommended resolution time: This issue may be handled in your continuous improvement process. We recommend resolving it within eight weeks.

2 - Low

Impact: There is small impact on security. The issue may indicate improper configurations or workflows.
Recommended resolution time: Evaluate if this issue is caused by an underlying workflow deficiency or the impacted service could be disabled or isolated. The issue does not necessarily need to be resolved.

1 - None

Impact: The issue has no security impact.
Recommended resolution time: The issue does not need to be resolved and is informational only.