The Risk indicates to the reader how important the vulnerability is, and how urgently appropriate measures must be taken to counter the threat. The table below lists the Cert-IST recommendations on how to react depending on the risk level.

Information published by CERT-IST is identified as follows : CERT-IST/tt-AAAA-nnn Vi.j

with:

tt Information Type : AV for security Advisories, AL for Alerts, DG for Potentiel Dangers, IF for Interesting Information
AAAA Year (4 digits)
nnn Identifier (3 digits)
i.j Advisory version 1.0 is the first version
"j" is incremented for each minor update (e.g.: 1.1)
for a major update, "i" is incremented and "j" is reset to 0 (ex : 2.0)

Examples :

• CERT-IST/AV-2005.100 V 1.0 for the 100th advisory published in 2005,
• CERT-IST/AV-2005.101 V 1.1 for the first minor revision of the 101st advisory in 2005,
• CERT-IST/AV-2005.101 V 2.0 for the first major revision of the 101st advisory in 2005, etc...
  

Confidence level definition

For each advisory it releases, the Cert-IST rates a "confidence level" field. The different confidence levels are set as follows :

Official and tested vulnerability : the vulnerability has been released by an official authority (CERT/CC, CIAC, AusCERT, ...) or by a vendor, and tested by the Cert-IST,
Official vulnerability : the vulnerability has been released by an official authority or by a vendor,
Tested vulnerability : the vulnerability has not been released by an official authority or a vendor but it was successfully tested by the Cert-IST,
Probable vulnerability : the vulnerability has not been released by an official authority or a vendor, but is it highly probable (cross-checked between several information sources),
Not qualified vulnerability : the vulnerability has not been released by an official authority or a vendor, it couldn't be tested nor crosschecked, but its criticity justifies the advisory which must be taken "with caution". Beware : those advisories must not be forwarded "as such".