Immunefi Vulnerability Severity Classification System

Last updated: 2020-12-10

At Immunefi, we classify bugs on a simplified 5-level scale:

Critical
High
Medium
Low
None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Smart Contracts/Blockchain

Level	Examples
5. Critical	Empty or freeze the contract’s holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow) Cryptographic flaws
4. High	Token holders temporarily unable to transfer holdings Users spoof each other Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome Transient consensus failures
3. Medium	Contract out of gas Contract consumes unbounded gas Block stuffing Denial of service (e.g. spamming block space)
2. Low	Contract fails to deliver promised returns, but doesn't lose value
1. None	Not following best practices

Websites and Apps

Level	Examples
5. Critical	Deletion of site data XSS/CSRF Arbitrary code execution Shell access on the server SQL injection
4. High	Users spoof each other Leaking user data Insufficient validation before viewing sensitive pages Dumping, but not modifying database
3. Medium	Denial of service Site goes down DNS zone transfer misconfiguration
2. Low	DoS amplification Unsecured recursive DNS resolver Open SMTP relay Bad SSL settings Missing security headers (with impact)
1. None	Using RSA1024 No ASLR No verification email Not using argon2 for password hashing Missing captcha Bad password policy Missing DMARC/DKIM/SPF on a mailserver Not following best practices

Join the community

Want to help us protect crypto from hacks?

Join our whitehat community and get notified when new bounties launch on the platform