Issue rating system
Yubico security issue rating standard
Yubico is committed to resolving vulnerabilities as quickly as possible. To contact Yubico’s security team, send an email to firstname.lastname@example.org and provide as much information as possible. Our PGP public key can be used to encrypt the content. We request that you follow responsible reporting practices and allow us time to evaluate and respond to the vulnerability before discussing the issue publicly.
Please note that the email@example.com email address is meant for reporting vulnerabilities only and is not intended to be used for other security or support issues. For general support issues, see Yubico Support.
Yubico Security Advisories
For a list of all security advisories issued by Yubico, in chronological order, see Yubico Security Advisories.
Issue rating overview
Security issues are issues that affect the security posture of the Yubico products and services (internal and customer facing). Yubico uses four severity ratings to describe security issues in its software, services, and devices: Minor, Moderate, High, Critical. Each rating has requirements regarding how those issues are treated by Yubico. The same severity scale will be used for all security issues.
There are multiple ways to evaluate issues (detailed in Determining Issue Rating below). Qualitative conditions can be used to determine severity, which is useful for things like systemic issues, process issues, or exposures. For specific vulnerabilities, it is useful to rate using the Common Vulnerability Scoring System (CVSS).
We encourage all customers to evaluate each issue in light of their use of our products and take appropriate steps to address any security concerns.
Determining issue rating
The following table details how Yubico assigns a security issue rating. Depending on the issue, CVSS scores or qualitative conditions are evaluated to determine the rating of a particular issue. For each issue, both the CVSS score range and the satisfied conditions are described, along with the assigned rating. Either method may be used depending on which is most applicable for a given security issue. An issue does not have to meet both the CVSS score and the conditions in order to fulfill the requirements for a particular rating.
|Critical||9.0 – 10|
|High||7.0 – 8.9|
|Moderate||4.0 – 6.9|
|Minor||.1 – 3.9|