Hi, On Thu, Apr 23, 2026 at 02:19:18PM +0000, MOESSBAUER, Felix wrote: > On Thu, 2026-04-23 at 13:24 +0200, Christoph Steiger wrote: > > Hi all, > > > > currently DSA have the following urgency field values: high, medium, > > low, unimportant, not yet assigned and end of life. > > Hi, > > the question is about the security tracker data, hence forwarding to > the debian-security-tracker ML. > > Felix > > > > > In other formats, one example being the OSSF, the severity of a > > vulnerability is rated with the CVSS scoring system [1]. I know that > > Debian does not adhere to that scoring system, but the ratings of a > > score are very similar to the DSA Urgency field [2] (Section 5, Table > > 14): Critical, High, Medium, Low and None. > > > > I could not find any "hard" criteria for the assessment of the Urgency > > of DSAs, and I assume this is done by intuition of the Debian security > > team. Most of the people involved in a vulnerability remediation process > > are used to the CVSS scoring system and its ratings (or so I have heard, > > I am not one myself). Having such similar rating names might lead to > > confusion about their meaning as it might be different and thus cause > > friction in vulnerability remediation processes. > > > > So my first questions would be how the Urgency is determined, and if the > > determination is somewhat related to the CVSS qualitative ratings? And > > secondly what would we think about adding a new Urgency: critical? Would > > it be useful and how much effort would it be to implement?
They are documented here: https://security-team.debian.org/security_tracker.html#severity-levels Note that nowdays they are almost never used (apart unimportant). Everyone needs to make their own assessment on the speciic issue in their context. So basically, no I do not see we would add another urgency "critical" value here. As a side note, you will encounter for some issues absolutely odd resulting CVSS scoring in highest ranking which make no sense at all. Regards, Salvatore
