Every Wednesday, the Drupal Security Team publishes "Security Advisories" (or SA's) to tell users about security vulnerabilities in Drupal core and contrib modules, with advice on how to solve the issue so that their site is secure.
This is the first in a series of articles about how to better understand all the information in a security advisory, so that you know how to take the appropriate action for your site!
Not all security vulnerabilities are equal!
Some are highly critical and require immediate action (like SA-CORE-2014-005, aka Drupalgeddon, was) or your site could be irrepairably damaged and you'll have to restore from backups.
And while you should take action on any security advisory that affects your site as soon as possible (or hire someone else to do it), some security vulnerabilities present less risk, so you might choose to delay updating and focus on more important things in your business or personal life.
But how do you make that decision?
All security advisories come with a "Security risk" that is generated by the Risk Calculator, which is where the labels like "Less Critical" or "Highly critical" come from.
However, those labels aren't very instructive because they don't really tell you what you're at risk of.
Each security advisory also includes the full set of values provided to the Risk Calculator - which contain a wealth of information about the vulnerability - you just need to know how to decode and understand it.
That's what this article is about!
Read more to learn how to understand the Risk Calculator used in Drupal Security Advisories!