Are there any reference guides available that serve as the basis for determining or establishing the "Severity" ratings?

Kumar, Rajendra 21 Reputation points
2023-06-29T06:13:46.3233333+00:00

I want to understand on what basis "High/Medium/Low" Severity Ratings are made. Also observed that, "Critical" Severity Ratings is missing.

Its not matching with https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
956 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 29,651 Reputation points Microsoft Employee
    2023-07-03T19:39:43.7733333+00:00

    Severity ratings are used to indicate the level of risk associated with a security vulnerability or issue. This rating is typically based on factors such as the potential impact of the vulnerability, likelihood of it being exploited, and the ease of exploitation. Severity ratings used by Azure may differ from those used by MSRC, since they are tailored to the specific context and audience. For example, Azure may use a different set of severity ratings for its cloud services than MSRC uses for its software products.<sup>[1]<sup> As far as "Critical" rating missing, it could be due to the fact that not all vulnerabilities or issues are considered critical in every context. For example, a vulnerability that affects a low-impact service may not be considered critical, even if it has the potential to be exploited.<sup>[1]<sup>

    Having said that, I couldn't find any specific guides or documentation leading to what establishes severity ratings in Azure Policy documentation. The closest I could find was Understand Azure Policy effects which discusses the evaluation mechanism of a policy and Get compliance data of Azure resources.

    It would help to better know where you're retrieving those ratings from.

    <sup>[1] - AI tools were used to generate this response</sup>


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.