Each issue is has a risk score consisting of the three main aspects of security (Confidentiality, Integrity and Availability) categorized from None to Critical.
Aspects of security
Confidentiality: An attacker can read internal or sensitive data, like passwords, software versions, etc.
Integrity: An attacker can modify data on your system, like bank account details, DNS entries, etc.
Availability: An attacker may impact the availability of your systems, e.g. by deleting files or overloading your systems.
5 - Critical
Impact: There is critical impact on security. An attacker can compromise the systems with low effort.
Recommended resolution time: We recommend resolving this issue immediately, at latest within one week.
4 - High
Impact: The issue has severe impact on your systems and may be abused by attackers with manageable effort.
Recommended resolution time: We recommend resolving this issue within one week.
3 - Medium
Impact: The issue may be abused by attackers in targeted or multi-stage attacks.
Recommended resolution time: This issue may be handled in your continuous improvement process. We recommend resolving it within eight weeks.
2 - Low
Impact: There is small impact on security. The issue may indicate improper configurations or workflows.
Recommended resolution time: Evaluate if this issue is caused by an underlying workflow deficiency or the impacted service could be disabled or isolated. The issue does not necessarily need to be resolved.
1 - None
Impact: The issue has no security impact.
Recommended resolution time: The issue does not need to be resolved and is informational only.