Immunefi Vulnerability Severity Classification System

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Smart Contracts/Blockchain

LevelExamples
5. Critical
  • Empty or freeze the contract’s holdings
    (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow)
  • Cryptographic flaws
4. High
  • Token holders temporarily unable to transfer holdings
  • Users spoof each other
  • Theft of yield
  • Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome
  • Transient consensus failures
3. Medium
  • Contract out of gas
  • Contract consumes unbounded gas
  • Block stuffing
  • Denial of service (e.g. spamming block space)
2. Low
  • Contract fails to deliver promised returns, but doesn't lose value
1. None
  • Not following best practices

Websites and Apps

LevelExamples
5. Critical
  • Deletion of site data
  • XSS/CSRF
  • Arbitrary code execution
  • Shell access on the server
  • SQL injection
4. High
  • Users spoof each other
  • Leaking user data
  • Insufficient validation before viewing sensitive pages
  • Dumping, but not modifying database
3. Medium
  • Denial of service
  • Site goes down
  • DNS zone transfer misconfiguration
2. Low
  • DoS amplification
  • Unsecured recursive DNS resolver
  • Open SMTP relay
  • Bad SSL settings
  • Missing security headers (with impact)
1. None
  • Using RSA1024
  • No ASLR
  • No verification email
  • Not using argon2 for password hashing
  • Missing captcha
  • Bad password policy
  • Missing DMARC/DKIM/SPF on a mailserver
  • Not following best practices