Hi,
can anyone point me to where i can understand the meaning of each “Source severity” category? i am especially interested in the “unspecified” category.
i was looking in https://www.ibm.com/developerworks/community/forums/html/topic?id=5da6120b-ac75-4da4-9997-02cc6b2fdeb9 and it did not mention the “Unspecified” category.
Thanks.
This category is prescribed to fixlets that are patches/updates from (most commonly) Microsoft that they do not attach a severity to. They will generally only attach a severity to security updates. If it’s unspecified, it’s likely because it does not address a security risk.
Source Severity is assigned to the update by Microsoft. So if Microsoft does not provide a Source Severity on one of their updates (or many) then then it will appear as “unspecified” because Microsoft has not specified it. If there is a Source Severity on one of the Microsoft updates it typically means that the update is an update to a publicly known vulnerability on one of the CVE lists.
When patching, it may be more meaningful to prioritize your patching efforts by looking at Category in combination with Source Severity.
