Priority and Severity Levels

Priority Levels
Priority Level Description
Priority 1 This vulnerability is the most severe. It is actively being exploited, or exploitation is imminent. Other outside businesses or schools are actively being exploited.
Priority 2 This vulnerability has not yet been exploited at the Institute, however, exploitation may be imminent. Other outside businesses or schools are actively being exploited.
Priority 3 This vulnerability has not yet been exploited at the Institute. The probability of exploitation is medium and there may be discussion about the vulnerability in security circles.
Priority 4 This vulnerability has a lower probability of exploitation, but should still be mitigated. Attention to this risk and above should be notified to the securityalerts@ias.edu mailing list or the involved school's helpdesk.
Priority 5 This vulnerability is low risk. Direct communication should be made with the school or group in which it affects.
Mitigated This rating is reserved for vulnerabilities that have been mitigated and are no longer a threat. This is for clarity of documentation that gives the current state of a risk.
No Risk This rating is reserved for items that were deemed a risk before, but have now been deemed not vulnerable due to new information.

 

Severity Levels

Severity Level Description
Severity 1 This vulnerability is the most severe. It poses high risk to the other groups/schools or the entire Institute as a whole. This also may be a vulnerability that puts the image of the Institute at risk.
Severity 2 This vulnerability poses high risk to an entire group/school, possible including resources available to another group/school.
Severity 3 This vulnerability poses high risk within a group/school. It does not pose a risk of contaminating other groups/schools.
Severity 4 This vulnerability poses a risk to a user, or smaller group. If left unfixed, it could grow larger or spread to other groups/users.
Severity 5 This vulnerability is low and poses a risk to an individual or group. If left unfixed, it will not grow and will remain vulnerable only to that user or group.
Mitigated This rating is reserved for vulnerabilities that have been mitigated and are no longer a threat. This is for clarity of documentation that gives the current state of a risk.
No Risk This rating is reserved for items that were deemed a risk before, but have now been deemed not vulnerable due to new information.