Yubico Security Issue Rating System

Yubico uses the following scale to rate security issues in its software, services, and devices. We encourage all customers to evaluate each issue in light of their use of the products and take appropriate steps to address any security issues that may arise.

  • Minor:
    • No or minimal impact to a protection goal of the device or service
    • Not predictably exploited, or will only work in some cases
    • Requires physical possession of a device and/or may be difficult to exploit
    • Mitigation is largely unnecessary or requires minimal or no effort on behalf of the customer.
    • Easy to discover exploitation attempts and can be used to prevent compromise
  • Moderate:
    • A protection goal of the device or service may be compromised
    • Not predictably exploitable 100% of the time.
    • Requires physical possession of a device and/or may be difficult to exploit
    • Mitigated by other factors or applies only to non-default configurations. Mitigation requires minimal or no effort on behalf of the customer.
    • An attacker can exploit only one device at a time
    • Easy to discover that the issue has been exploited, but discovery is after the fact
  • High:
    • One or more protection goals of the device or service is compromised
    • Proximity to device is sufficient for exploitation, or exploitation requires possession of an affected device but is easy to perform reliably without damaging the device or service
    • It is non-trivial to determine that the issue has been exploited even with possession of the device
  • Critical:
    • One or more protection goals of the device or service is reliably compromised
    • Exploitation is possible without physical possession of an affected device
    • All or most customers of the affected product are impacted.
    • An attacker may be able to exploit multiple devices at a time with no additional effort
    • It is difficult or impossible to determine that exploitation has occurred.