P1Critical

Critical

Critical Business Impact: Critical issue occurring on production system preventing business operations. A large number of users are prevented from working with no procedural workaround.

1. System hangs or crashes
2. Critical functionality not available
3. Data loss or data corruption
4. Large number of end users blocked from work
5. Impact is escalating quickly

1 hour

P2
Major 

Significant Business Impact: Major issue occurring on production system severely impacting business. A large number of users are impacted by issue but they are still able to work in a limited capacity.

1. Significant performance degradation
2. Important functionality not available
3. Small number of users blocked from work
4. Impact is escalating

4 hours

P3
Medium 

Normal Business Impact: Issue causing a partial or non-critical loss of functionality on production system. A small number of users are affected

1. Some system functions not available
2. Minor performance degradation
3. Small number of users impacted
4. Impact is not escalating

8 hours

P4
Low 

Minimal Business Impact: issue occurring on non-production system or question, comment, feature request, documentation issue or other non-impacting issue.

1. Incorrect product behavior without impact
2. Product question or enhancement

 24 hours >= 9

• Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.

4 weeks

High

>=7

• The vulnerability is difficult to exploit.
• Exploitation could result in elevated privileges.
• Exploitation could result in a significant data loss or downtime.

6 weeks

Medium 

>=4

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities where exploitation provides only very limited access.
• Vulnerabilities that require user privileges for successful exploitation. 

8 weeks

Low