Priority and Severity rating systems for Security Bulletins

The Adobe Priority Rating System is a guideline to help our customers in managed environments prioritize Adobe security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.

The definitions of the priority ratings are:

Rating Definition
Priority 1 This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).
Priority 2 This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).
Priority 3 This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

The Adobe Severity Rating System is a guideline to help our customers assess the security impact of known software vulnerabilities.

The definitions of the severity ratings are:

Rating Definition
Critical A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.
Important A vulnerability, which, if exploited would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.
Moderate A vulnerability that is limited to a significant degree by factors such as default configuration, auditing, or is difficult to exploit.