Severity Levels
Understanding Vulnsy's five severity levels — Critical, High, Medium, Low, and Informational — and how they affect report output.
Every finding in Vulnsy is assigned a severity level. Severity communicates the risk a vulnerability poses to the client and determines the order findings appear in exported reports.
Severity Definitions
| Severity | Description | Example |
|---|---|---|
| Critical | Immediate risk of data breach or full system compromise. Exploitation is trivial and may require no authentication. | Unauthenticated remote code execution, SQL injection exposing entire database |
| High | Significant security impact. Exploitation is feasible with moderate effort or requires limited prerequisites. | Stored XSS in admin panel, privilege escalation to admin role |
| Medium | Moderate risk. Exploitation may require specific conditions, user interaction, or chained vulnerabilities. | CSRF on sensitive actions, missing rate limiting on login |
| Low | Minor security concern with limited impact. Difficult to exploit or requires significant prerequisites. | Verbose error messages, missing security headers with low impact |
| Informational | No direct security impact. Best practice recommendation or observation for hardening. | Software version disclosure, use of deprecated TLS cipher suites |
How Severity Affects Reports
- Sort order — When findings are sorted by severity in an exported report, they appear in order from Critical down to Informational
- Executive summary — Severity counts (e.g. "3 Critical, 5 High, 8 Medium") are commonly included in report summaries to give clients a quick risk overview
- Prioritization — Clients use severity to prioritize remediation efforts, so accurate ratings are essential
Be consistent with severity ratings across engagements. If your team rates missing HSTS as Low on one report, it should be Low on every report unless specific circumstances change the risk.
CVSS Scores
Vulnsy's severity levels can be complemented by CVSS (Common Vulnerability Scoring System) scores. CVSS provides a numerical score (0.0 -- 10.0) that maps to severity:
| CVSS Score | Severity |
|---|---|
| 9.0 -- 10.0 | Critical |
| 7.0 -- 8.9 | High |
| 4.0 -- 6.9 | Medium |
| 0.1 -- 3.9 | Low |
| 0.0 | Informational |
CVSS scores are optional. Many pentest teams prefer qualitative severity ratings based on real-world exploitability and business context rather than relying solely on CVSS.
Choosing the Right Severity
When assigning severity, consider:
- Exploitability — How easy is it to exploit? Does it require authentication, special tools, or user interaction?
- Impact — What is the worst-case outcome? Data breach, service disruption, or information disclosure?
- Scope — Does exploiting this issue affect other systems or components beyond the vulnerable one?
- Business context — A medium-severity technical finding on a payment processing system may warrant a higher effective rating due to regulatory impact