Immunefi Vulnerability Severity Classification System

Last updated: 2020-11-21

At Immunefi, we have an abridged bug classification system that classifies bugs along two axes: exploitability and consequence. Exploitability is concerned with the level of access and interaction that is required for the bug to be triggered. For instance, a bug that requires a pricing oracle to go rogue would be considered less severe than a bug that can be triggered by any token holder. Consequence is concerned with the worst outcome of a successful exploit. For instance, a bug that temporarily prevents token holders from transferring their tokens would be considered less severe than a bug that results in loss of contract funds.

Here are the two axes of exploitability and consequence with their respective levels ranging from least severe to most severe, together with examples. All bug reports are evaluated by combining their exploitability and consequence level percentage points, and multiplying the combined percentage by the total bounty pool to get the recommended bug bounty payout. We consider this system the simplest and most transparent way of valuing and rewarding high vulnerabilities.

Consequence	Examples	Default Payout Percentage
5. Deletion of site data, XSS/CSRF, ACE, loss of contract funds	Empty the contract’s holdings (Economic attacks, Broken incentive systems, DoS oracle) Shell access on the server SQL injection	50%
4. Incorrect modification of user data	Users spoof each other Most “it’s just wrong” bugs fall into this category	20%
3. Leaking user data	Dumping, but not modifying database Bad SSL settings Missing security headers Insufficient validation before viewing sensitive pages Token leakage	20%
2. DoS amplification	Unsecured DNS resolver open SMTP relay	10%
1. Denial of service	Site goes down Missing DMARC/DKIM/SPF on a mailserver DNS zone transfer misconfiguration	10%
0. No known exploit - best practices	Using RSA2048 No ASLR No verification email Not using argon2 for password hashing Missing captcha Bad password policy	+1%

Exploitability	Examples	Default Payout Percentage
5. No access	Drive-by attack	100%
4. Ordinary access	Registration & automated approval required	100%
3. Moderator-approved access	Registration & approval by site owner required	20%
2. Privileged access (non-root)	Site operator access required	10%
1. Physical access	Local console access	1%

Join the community

Want to help us protect crypto from hacks?

Join our whitehat community and get notified when new bounties launch on the platform