• Issue rating system

    Yubico security issue rating standard

    Yubico is committed to resolving vulnerabilities as quickly as possible. To contact Yubico’s security team, send an email to security@yubico.com and provide as much information as possible. Our PGP public key can be used to encrypt the content. We request that you follow responsible reporting practices and allow us time to evaluate and respond to the vulnerability before discussing the issue publicly.

    Please note that the security@yubico.com email address is meant for reporting vulnerabilities only and is not intended to be used for other security or support issues. For general support issues, see Yubico Support.

    Yubico Security Advisories

    If you want to be notified of security advisories, subscribe to our security advisory email list. You can choose to opt out of the advisory email list at any time.

    For a list of all security advisories issued by Yubico, in chronological order, see Yubico Security Advisories.

    Issue rating overview

    Security issues are issues that affect the security posture of the Yubico products and services (internal and customer facing). Yubico uses four severity ratings to describe security issues in its software, services, and devices: Minor, Moderate, High, Critical. Each rating has requirements regarding how those issues are treated by Yubico. The same severity scale will be used for all security issues.

    There are multiple ways to evaluate issues (detailed in Determining Issue Rating below). Qualitative conditions can be used to determine severity, which is useful for things like systemic issues, process issues, or exposures. For specific vulnerabilities, it is useful to rate using the Common Vulnerability Scoring System (CVSS).

    We encourage all customers to evaluate each issue in light of their use of our products and take appropriate steps to address any security concerns.

    Determining issue rating

    The following table details how Yubico assigns a security issue rating. Depending on the issue, CVSS scores or qualitative conditions are evaluated to determine the rating of a particular issue. For each issue, both the CVSS score range and the satisfied conditions are described, along with the assigned rating. Either method may be used depending on which is most applicable for a given security issue. An issue does not have to meet both the CVSS score and the conditions in order to fulfill the requirements for a particular rating.

    RatingCVSS ScoreConditions
    Critical9.0 – 10
    • One or more protection goals of the device or service is reliably compromised
    • Exploitation is possible without physical possession of an affected device
    • All or most customers of the affected product are impacted.
    • An attacker may be able to exploit multiple devices at a time with no additional effort
    • It is difficult or impossible to determine that exploitation has occurred.
    High7.0 – 8.9
    • One or more protection goals of the device or service is compromised
    • Proximity to device is sufficient for exploitation, or exploitation requires possession of an affected device but is easy to perform reliably without tampering being evident.
    • It is non-trivial to determine that the issue has been exploited even with possession of the device
    Moderate4.0 – 6.9
    • A protection goal of the device or service may be compromised
    • Not predictably exploitable 100% of the time
    • Requires physical possession of a device, tampering would be evident, and/or may be difficult to exploit
    • Mitigated by other factors or applies only to non-default configurations. Mitigation requires minimal or no effort on behalf of the customer
    • An attacker can exploit only one device at a time
    • Easy to discover that the issue has been exploited, but discovery is after the fact
    Minor.1 – 3.9
    • No or minimal impact to a protection goal of the device or service
    • Not predictably exploited, or will only work in some cases
    • Requires physical possession of a device, tampering would be evident, and/or may be difficult to exploit
    • Mitigation is largely unnecessary or requires minimal or no effort on behalf of the customer
    • Easy to discover exploitation attempts and can be used to prevent compromise

    Report security issues

    To report security issues, email security@yubico.com. Reporters may use our PGP public key.