Immunefi Vulnerability Severity Classification System
Being Phased Out
This Severity Classification System is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.
At Immunefi, we classify bugs on a simplified 5-level scale:
This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
|5. Critical||Empty or freeze the contract’s holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow)|
|4. High||Theft of yield|
|Token holders temporarily unable to transfer holdings|
|Users spoof each other|
|Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome|
|Transient consensus failures|
|3. Medium||Contract out of gas|
|Contract consumes unbounded gas|
|Denial of service (e.g. spamming block space)|
|2. Low||Contract fails to deliver promised returns, but doesn't lose value|
|1. None||Not following best practices|
Websites and Apps
|5. Critical||Deletion of site data|
|Arbitrary code execution|
|Shell access on the server|
|4. High||Users spoof each other|
|Leaking user data|
|Insufficient validation before viewing sensitive pages|
|Dumping, but not modifying database|
|3. Medium||Denial of service|
|Site goes down|
|DNS zone transfer misconfiguration|
|2. Low||DoS amplification|
|Unsecured recursive DNS resolver|
|Open SMTP relay|
|Bad SSL settings|
|Missing security headers (with impact)|
|1. None||Using RSA1024|
|No verification email|
|Not using argon2 for password hashing|
|Bad password policy|
|Missing DMARC/DKIM/SPF on a mailserver|
|Not following best practices|