Immunefi Vulnerability Severity Classification System
At Immunefi, we classify bugs on a simplified 5-level scale:
This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
|5. Critical||Empty or freeze the contract’s holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow)|
|4. High||Theft of yield|
|Token holders temporarily unable to transfer holdings|
|Users spoof each other|
|Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome|
|Transient consensus failures|
|3. Medium||Contract out of gas|
|Contract consumes unbounded gas|
|Denial of service (e.g. spamming block space)|
|2. Low||Contract fails to deliver promised returns, but doesn't lose value|
|1. None||Not following best practices|
Websites and Apps
|5. Critical||Deletion of site data|
|Arbitrary code execution|
|Shell access on the server|
|4. High||Users spoof each other|
|Leaking user data|
|Insufficient validation before viewing sensitive pages|
|Dumping, but not modifying database|
|3. Medium||Denial of service|
|Site goes down|
|DNS zone transfer misconfiguration|
|2. Low||DoS amplification|
|Unsecured recursive DNS resolver|
|Open SMTP relay|
|Bad SSL settings|
|Missing security headers (with impact)|
|1. None||Using RSA1024|
|No verification email|
|Not using argon2 for password hashing|
|Bad password policy|
|Missing DMARC/DKIM/SPF on a mailserver|
|Not following best practices|