Severity Ratings
How we classify vulnerabilities by risk and impact.
Rating System
We use a four-tier severity system based on CVSS 4.0 principles, adapted for web application security context.
CRITICAL CVSS 9.0 - 10.0
Immediate exploitation possible with severe impact. Requires emergency response.
Examples:
- Remote Code Execution (RCE)
- SQL Injection with data exfiltration
- Authentication bypass to admin access
- Pre-auth SSRF to internal systems
⚡ Remediate within 24 hours
HIGH CVSS 7.0 - 8.9
Significant risk requiring prompt attention. May lead to data breach or system compromise.
Examples:
- Stored XSS in high-traffic areas
- IDOR exposing sensitive user data
- Privilege escalation vulnerabilities
- Insecure direct object references
📅 Remediate within 7 days
MEDIUM CVSS 4.0 - 6.9
Moderate risk that should be addressed in the normal development cycle.
Examples:
- Reflected XSS requiring user interaction
- CORS misconfiguration with limited impact
- Missing security headers
- Information disclosure
📆 Remediate within 30 days
LOW CVSS 0.1 - 3.9
Minor issues or best practice recommendations with limited security impact.
Examples:
- Verbose error messages
- Missing X-Content-Type-Options header
- Cookie without SameSite attribute
- Server version disclosure
🗓️ Remediate within 90 days
Severity Factors
We consider these factors when assigning severity:
- Exploitability: How easy is it to exploit?
- Impact: What's the potential damage?
- Scope: How many users/systems affected?
- Authentication: Is auth required to exploit?
- User Interaction: Does exploitation require user action?