Security Bulletin Severity Rating System

To ensure that organizations apply the most critical bug fixes, the Microsoft Security Response Center will begin rating vulnerabilities according to risk.

The rating system begins by separating the system environments into the following categories:

• Internet-facing servers, such as Web servers or firewalls
• Internal servers that are protected by a firewall but exposed to an organization’s internal users, such as domain controllers, member servers, or terminal servers
• Client systems, such as desktops, home PCs, and laptops.

The potential impact of the vulnerability is then rated. At one extreme are vulnerabilities that allow the attacker to gain administrative control or require a complete reinstallation for recovery. At the other extreme are “reconnaissance” vulnerabilities that only reveal information about a system to the attacker. To address this spectrum, the Security Response Center created “critical,” “moderate,” and “low” severity ratings for the three environments.

The following table summarizes the rating system by severity level and system environment.