Advertising sustains the DA. Ads are hidden for members. Join today

On this page

Drupal Security Team

Security risk levels defined

Last updated on
6 February 2023

The following information explains how the criticality levels serve as a general guideline for determining security risk levels.

This page is about the risk score used after August 6th, 2014. To see the system used prior to that, check the revisions of this page from 2014.

Risk Calculator

The current security advisory risk level system is based on the NIST Common Misuse Scoring System (NISTIR 7864). Each vulnerability is scored using this system and a number is assigned between 0 and 25. The total points are used to give a text description to make the numbers easier to understand:

  • scores between 0 and 4 are considered Not Critical
  • 5 to 9 is considered Less Critical
  • 10 to 14 is considered Moderately Critical
  • 15 to 19 is considered Critical
  • 20 to 25 is considered Highly Critical

The risk level is assigned by the Risk Calculator which takes 6 different metrics, each which can have 3 different values. This is encoded in a terse format and included on every Security Advisory in the "Security risk" field. The below table provides longer descriptions and point scores for each category.

Risk metrics used
Code Metric Description
AC Access complexity

How difficult is it for the attacker to leverage the vulnerability?

  • AC:None = None (user visits page) +4 points
  • AC:Basic = Basic or routine (user must follow specific path) +2 points
  • AC:Complex = Complex or highly specific (multi-step, unintuitive process with high number of dependencies) +1 point
A Authentication

What privilege level is required for an exploit to be successful?

  • A:None = None (all/anonymous users) +4 points
  • A:User = User-level access (basic/commonly assigned permissions) +2 points
  • A:Admin = Administrator (broad permissions required where 'restrict access' is set to false) +1 point
CI Confidentiality impact

Does this vulnerability cause non-public data to be accessible?

  • CI:All = All non-public data is accessible +5 points
  • CI:Some = Certain non-public data is released +3 points
  • CI:None = No confidentiality impact +0 points
II Integrity impact

Can this exploit allow system data (or data handled by the system) to be compromised?

  • II:All = All data can be modified or deleted +5 points
  • II:Some = Some data can be modified +3 points
  • II:None = Data integrity remains intact +0 points
E Exploit (Zero-day impact)

Does a known exploit exist?

  • E:Exploit = Exploit exists (documented or deployed exploit code already in the wild) +4 points
  • E:Proof = Proof of concept exists (documented methods for developing exploit exist in the wild) +2 points
  • E:Theoretical = Theoretical or white-hat (no public exploit code or documentation on development exists) +1 point
TD Target distribution

What percentage of users are affected?

  • TD:All = All module configurations are exploitable +3 points
  • TD:Default = Default or common module configurations are exploitable, but a config change can disable the exploit +2 points
  • TD:Uncommon = Only uncommon module configurations are exploitable +1 points

External resources

Help improve this page

Page status: No known problems

You can: