You are on the Cert-IST public site
Publications > Public Advisories/Alerts > Risk levels

Risk levels

Le Cert-IST includes in its publications 2 metrics to assess the risk level:

  • the first is the metric defined by the EISPP  project
  • the second is the CVSS metric (available since 2007)

The Risk indicates to the reader how important the vulnerability is, and how urgently appropriate measures must be taken to counter the threat.


EISPP uses 3 criterias (Attack requirements, Impact and Attacker Expertise) to compute a risk with 4 possible levels: Low, Medium, High and Very high. The drawing and the table below explain the asessment process and the Cert-IST recommendations on how to react depending on the risk result.For further detail, please see this short abstract or refer to the EISPP specification document (version 1.2).


CVSS uses 6 criterias to compute a risk. The risk is a decimal number from 0 (no risk) up to 10 (top risk). For further detail, please refer to the guide published by FIRST.