Security Bulletin Severity Rating System
Updated: May 2012
The mission of the Microsoft Security Response Center (MSRC) is to help our customers operate their systems and networks securely. A major part of this mission involves evaluating reports of suspected vulnerabilities in Microsoft products and, when necessary, ensuring that updates and security bulletins that respond to bona fide reports are produced and disseminated. The MSRC issues a bulletin for any product vulnerability that could, in our judgment, result in multiple customers being affected, no matter how unlikely or limited the impact.
Not all vulnerabilities have equal impact. This document presents our security bulletin severity rating system. This system, which we revised in December 2011 based on customer feedback, is intended to help our customers decide which updates they should apply under their particular circumstances, and how rapidly they need to take action. Customers have encouraged us to include this information in our bulletins to help them assess their risk.
In industry experience, attacks that impact customers' systems rarely result from attackers' exploitation of previously unknown vulnerabilities. Attacks typically exploit vulnerabilities for which patches have long been available, but not applied. This is why we include deployment priorities with each severity rating.
The severity rating system provides a rating for each vulnerability per component or platform. This rating represents the worst theoretical outcome were a vulnerability to be exploited on a given component or platform. The severity rating does not indicate the likelihood of that outcome.
To assess that likelihood, the Microsoft Exploitability Index is designed to provide additional information to help customers better prioritize the deployment of Microsoft security updates. This index provides customers with guidance on the likelihood of functioning exploit code being developed for vulnerabilities addressed by Microsoft security updates, within the first thirty days of that update's release.
The definitions of the Severity ratings are:
We apply this severity rating system to each issue addressed in a security bulletin. With regard to bulletins that address multiple vulnerabilities, the overall bulletin severity will reflect the highest severity issue addressed in the bulletin. While this severity rating system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.