Skip to content
  • There are no suggestions because the search field is empty.

New vulnerability severity levels

In 2023, we are introducing several larger enhancements across Security Center, where risk management will play a more significant role in managing and prioritizing vulnerabilities.

As part of this, we will change how severity levels are set for vulnerabilities based on the specific ranges of the CVSS score for CVEs associated with Network and Device assets.

Currently, the severity levels are defined as follows:

  • Info: 0
  • Low: 0,1–2,0
  • Medium: 2,1–5,0
  • High: 5,1–8,0
  • Critical: 8,1–10,0

The score is based on the CVSS 2.0 framework, and the levels/ranges are custom-defined by Holm Security.

After this change to Security Center, the severity levels will instead look like this:

  • Info: 0,0
  • Low: 0,1 – 3,9
  • Medium: 4,0 – 6,9
  • High: 7,0 – 8,9
  • Critical: 9,0 – 10,0

These new levels/ranges are primarily derived from the CVSS 3.1 framework, with a fallback to CVSS 3.0 and 2.0 (required for older vulnerabilities where 3.1 does not exist).

 

Q&A

Why is this change made now?

We have received customer feedback on our current severity levels about how they can be improved. Combined with our new risk prioritization features (coming soon) and the CVSS 3.1 standard, we decided this was the right moment to implement this change.

How does this impact me?

All vulnerabilities across Security Center will be moved to the new severity levels. This can result in some vulnerabilities changing in severity, for example, from Critical to High or from Medium to Low. This is a one-time change and is intended to ensure Security Center stands on a solid foundation for the future.

When is this change taking effect?

We plan to introduce this change in Q1 2023. We will announce it on our status portal when we get closer to the event.