Yubico Security Issue Rating Standard

Issue Rating Overview

Security issues are issues that affect the security posture of the Yubico products and services (internal and customer facing). Yubico uses four severity ratings to describe security issues in its software, services, and devices: Minor, Moderate, High, Critical. Each rating has requirements regarding how those issues are treated by Yubico. The same severity scale will be used for all security issues.

There are multiple ways to evaluate issues (detailed in Determining Issue Rating below). Qualitative conditions can be used to determine severity, which is useful for things like systemic issues, process issues, or exposures. For specific vulnerabilities, it is useful to rate using the Common Vulnerability Scoring System (CVSS).

We encourage all customers to evaluate each issue in light of their use of our products and take appropriate steps to address any security concerns.

Determining Issue Rating

The following table details how Yubico assigns a security issue rating. Depending on the issue, CVSS scores or qualitative conditions are evaluated to determine the rating of a particular issue. For each issue, both the CVSS score range and the satisfied conditions are described, along with the assigned rating. Either method may be used depending on which is most applicable for a given security issue. An issue does not have to meet both the CVSS score and the conditions in order to fulfill the requirements for a particular rating.

Rating CVSS Score Conditions
Critical 9.0 – 10
  • One or more protection goals of the device or service is reliably compromised
  • Exploitation is possible without physical possession of an affected device
  • All or most customers of the affected product are impacted.
  • An attacker may be able to exploit multiple devices at a time with no additional effort
  • It is difficult or impossible to determine that exploitation has occurred.
High 7.0 – 8.9
  • One or more protection goals of the device or service is compromised
  • Proximity to device is sufficient for exploitation, or exploitation requires possession of an affected device but is easy to perform reliably without tampering being evident.
  • It is non-trivial to determine that the issue has been exploited even with possession of the device
Moderate 4.0 – 6.9
  • A protection goal of the device or service may be compromised
  • Not predictably exploitable 100% of the time
  • Requires physical possession of a device, tampering would be evident, and/or may be difficult to exploit
  • Mitigated by other factors or applies only to non-default configurations. Mitigation requires minimal or no effort on behalf of the customer
  • An attacker can exploit only one device at a time
  • Easy to discover that the issue has been exploited, but discovery is after the fact
Minor .1 – 3.9
  • No or minimal impact to a protection goal of the device or service
  • Not predictably exploited, or will only work in some cases
  • Requires physical possession of a device, tampering would be evident, and/or may be difficult to exploit
  • Mitigation is largely unnecessary or requires minimal or no effort on behalf of the customer
  • Easy to discover exploitation attempts and can be used to prevent compromise

Report Security Issues

To report security issues, email security@yubico.com. Reporters may use our PGP public key.