Skip to main content
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
?
Yes, please
No, do not track me
Drupal.org home
Discover Drupal
Drupal Core
Drupal CMS
Drupal AI
Case Studies
Drupal for Government
Drupal for Higher Education
Drupal for Nonprofit
Drupal for eCommerce
Drupal for FinTech
Drupal for Healthcare
Drupal for Enterprise
Drupal for Retail
Drupal for Travel & Tourism
Build with Drupal
Download Drupal
Documentation
Getting started
Local Development Guide
Developer Resources
Drupal CMS User Guide
Drupal User Guide
API
Modules
Themes
Recipes
Site Templates
Issue queues
Security Advisories
Partners & Services
Find a Drupal Certified Partner
Become a Drupal Certified Partner
Find a Hosting Provider
Find a Migration Partner
Find Training
Drupal Steward
Community
About the Community
How to Contribute
DrupalCon
Events
Jobs / Careers
News & Blogs
Forum
Slack
Newsletters
Drupal Swag Shop
Support Drupal
The Drupal Association
Donate
Become a Partner
Become a Ripple Maker
Become a Drupal Sustaining Member
Drupal Swag Shop
Get Started
Try Drupal CMS
Try Hosting
Return to content
Search form
Search
Log in
Create account
Documentation
Search
Advertising sustains the DA. Ads are hidden for members.
Join today
Drupal Security Team
General information
CVE assignment
Contacted by the Security Team. Now what?
Drupal Steward
Security Team members
Security advisory process and permissions policy
Security release numbers and release timing
Security risk calculator
Security risk levels defined
Security track record
Drupal 6 Long-Term Support
How to join the Drupal Security Team
Security team procedures
Becoming primary maintainer of a project that is unsupported for security reasons
Security risk calculator
Last
updated
on
17 April 2024
The questions below will help calculate the risk level for a security issue.
Access complexity: how difficult is it for the attacker to leverage the vulnerability?
*
- Select -
None (user visits page)
Basic or routine (user must follow specific path)
Complex or highly specific (multi-step, unintuitive process with high number of dependencies)
Authentication: what privilege level is required for an exploit to be successful?
*
- Select -
None (all/anonymous users)
User-level access (basic/commonly assigned permissions)
Administrator (broad permissions required where “restrict access” is set to false)
Confidentiality impact: does this vulnerability cause non-public data to be accessible?
*
- Select -
All non-public data is accessible
Certain non-public data is released
No confidentiality impact
Integrity impact: can this exploit allow system data (or data handled by the system) to be compromised?
*
- Select -
All data can be modified or deleted
Some data can be modified
Data integrity remains intact
Zero-day impact: does a known exploit exist?
*
- Select -
Exploit exists (documented or deployed exploit code already in the wild)
Proof of concept exists (documented methods for developing exploit exist in the wild)
Theoretical or white-hat (no public exploit code or documentation on development exists)
Target distribution: what percentage of module users are affected?
*
- Select -
All module configurations are exploitable
Default or common module configurations are exploitable, but a config change can disable the exploit
Only uncommon module configurations are exploitable
Related Content
Security risk levels defined
The following information explains how the criticality levels as a general guideline for determining security risk levels.
Help improve this page
Page status:
No known problems
You can:
Log in, click
Edit
, and edit this page
Log in, click
Discuss
, update the Page status value, and suggest an improvement
Log in and
create a Documentation issue
with your suggestion
