Severity levels for findings
To identify the potential of a vulnerability, and the need to remediate it, the following severity levels are used to classify findings:
Severity | Description |
Critical | Critical severity findings indicate that the discovered weakness requires immediate remediation and/or mitigation. Critical findings typically represent weaknesses that were leveraged to gain access to systems or data that commonly have financial or reputation loss factors attributed. |
High | High severity findings indicate that the discovered weakness is publicly disclosed and trivial to abuse. High findings typically represent weaknesses that were leveraged to gain privileged access to networks, systems, or applications. |
Medium | Medium severity findings indicate weaknesses are likely to lead to compromise but either require other attacks to be significantly impactful, resulting in limited access, or require advanced knowledge and techniques to execute the attacks. |
Low | Low severity findings indicate weaknesses that are not directly exploitable. Low findings typically require a chain of weaknesses to exploit fully, disclose non-sensitive technical information, or do not lead to any additional compromise within an environment. |
Informational | Informational severity findings are reserved for weaknesses that represent a deviation from best practice or a weakness that should be reviewed because it may expose other weaknesses or lead to future vulnerability. While these weaknesses don’t directly lead to compromise, they still represent potential risk and should be addressed. |