Severity Levels for Security Issues | Atlassian (2024)

Table of Contents
Sources of Vulnerability Severity Framework and Rating Remediation Timeline

Sources of Vulnerability

  • Security scanner tickets such as those filed by Nexpose and Snyk
  • Bug bounty findings found by security researchers through Bugcrowd
  • Security vulnerabilities reported by the security team as part of reviews
  • Security vulnerabilities reported by Atlassians

Severity Framework and Rating

Atlassian uses Common Vulnerability Scoring System (CVSS) as a method of assessing security risk and prioritization for each discovered vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS atFIRST.org.

Severity Levels

Atlassian security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability.

  • Critical
  • High
  • Medium
  • Low

For CVSS v3 Atlassian uses the following severity rating system:

CVSS V3 SCORE RANGE
SEVERITY IN ADVISORY

9.0 - 10.0

 Critical

7.0 - 8.9

 High

4.0 - 6.9

 Medium

0.1 - 3.9

 Low

In some cases, Atlassian may use additional factors unrelated to CVSS score to determine the severity level of a vulnerability. This approach is supported by the CVSS v3.1 specification:

See Also
What are the 4 categories of threats? | Answers

Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include: number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities. These are outside the scope of CVSS.

In cases where Atlassian takes this approach, we will describe which additional factors have been considered and why when publicly disclosing the vulnerability.

Below are a few examples of vulnerabilities which mayresult in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.

Severity Level: Critical

Vulnerabilities that score in the critical range usually havemostof the following characteristics:

  • Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
  • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could beif your installation is not accessible from the Internet.

Severity Level: High

Vulnerabilities that score in the high range usually havesomeof the following characteristics:

  • The vulnerability is difficult to exploit.
  • Exploitation could result in elevated privileges.
  • Exploitation could result in a significant data loss or downtime.

Severity Level: Medium

Vulnerabilities that score in the medium rangeusually have someof the following characteristics:

  • Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
  • Denial of service vulnerabilities that are difficult to set up.
  • Exploits that require an attacker to reside on the same local network as the victim.
  • Vulnerabilities where exploitation provides only very limited access.
  • Vulnerabilities that require user privileges for successful exploitation.

Severity Level: Low

Vulnerabilities in the low range typically havevery little impacton an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access. Vulnerabilities in third party code that are unreachable from Atlassian code may be downgraded to low severity.

Remediation Timeline

Atlassian sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We have defined timeframes for fixing security issues according to our security bug fix policy.

Accelerated Resolution Timeframes apply to:

  • All cloud-based Atlassian products
  • Jira Align (both the cloud and self-managed versions)
  • Any other software or system managed by Atlassian, or running on Atlassian infrastructure

Extended Resolution Timeframes apply to:

  • All self-managed Atlassian products
    • These are products that are installed by customers on customer-managed systems
    • This includes Atlassian's Data Center, desktop, and mobile applications

CVSS Resolution Timeframe

Severity levels
Accelerated Resolution Timeframes
Extended Resolution Timeframes

Critical

 Within 10 days of being verified Within 90 days of being verified

High

 Within 4 weeks of being verified Within 90 days of being verified

Medium

 Within 12 weeks of being verified Within 90 days of being verified

Low

 Within 25 weeks of being verified Within 180 days of being verified
Severity Levels for Security Issues | Atlassian (2024)
Top Articles
How to Fix WAN Connection Error? Here Are 6 Solutions for You! - MiniTool
Scammers swipe billions from Americans every year, many getting away with it
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
Non Sequitur
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
What Is the 'i' Icon on the Apple Watch?
How To Mine Bitcoin? Know How It Works And the Computing System That's Needed
Article information

Author: Rubie Ullrich

Last Updated:

Views: 5864

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.