Important changes to Adobe Security Bulletins
Releasing regular security updates is one of the ways Adobe constantly strives to improve the security of our products to protect our customers and their data. The accompanying security bulletins help both customers and our partners understand the details of the vulnerabilities we’ve identified and fixed in our products.
Beginning with the June 2021 security bulletins, we’ve made some changes to help you identify and calculate the quantifiable risk from vulnerabilities, which in turn, will help you make better and more informed decisions regarding patch management.
The new additions to the security bulletins include:
- Mapping all security vulnerabilities to the CWE (Common Weakness Enumeration) list. CWE is a community-developed list of common software and hardware security weaknesses. Mapping Adobe vulnerabilities to the CWE list will standardize the vulnerability descriptions and provide you with more information about the details and impact of a vulnerability type.
- Publishing CVSS (Common Vulnerability Scoring System) scores for security vulnerabilities. Along with categorizing our vulnerabilities in a qualitative manner (e.g., moderate, important, and critical), we will assign an industry-standard CVSS score to calculate the threat level of a vulnerability. These values range from 0 to 10, with 0 being the lowest and 10 being the highest risk. This score will help you better manage your vulnerabilities.
- Providing the CVSS vector for each vulnerability. Along with the CVSS score, we are also providing the vector, which defines the vulnerability’s parameters and attributes and identifies the values that lead to the specific CVSS value for that vulnerability. The CVSS vector contains the following information:
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Scope (S)
- Confidentiality (C)
- Integrity (I)
- Availability (A)
The CVSS vector for any vulnerability can be calculated via using this calculator. You can find more information about the CVSS standard with examples on the FIRST.org website.
- Including our team’s email address. To make the Adobe PSIRT team more accessible for queries or clarifications, we’ve added the team’s email address at the bottom of all our security bulletins. We hope this will help to ensure quick and easy resolution directly from the documentation’s authors.
We hope these changes are helpful. If you have any suggestions for possible future improvements, please let our team know via email.