Immunefi Vulnerability Severity Classification System

Being Phased Out

This Severity Classification System is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.


At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Smart Contracts/Blockchain

LevelExamples
5. CriticalEmpty or freeze the contract’s holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow)
Cryptographic flaws
4. HighTheft of yield
Token holders temporarily unable to transfer holdings
Users spoof each other
Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome
Transient consensus failures
3. MediumContract out of gas
Contract consumes unbounded gas
Block stuffing
Denial of service (e.g. spamming block space)
2. LowContract fails to deliver promised returns, but doesn't lose value
1. NoneNot following best practices

Websites and Apps

LevelExamples
5. CriticalDeletion of site data
XSS/CSRF
Arbitrary code execution
Shell access on the server
SQL injection
4. HighUsers spoof each other
Leaking user data
Insufficient validation before viewing sensitive pages
Dumping, but not modifying database
3. MediumDenial of service
Site goes down
DNS zone transfer misconfiguration
2. LowDoS amplification
Unsecured recursive DNS resolver
Open SMTP relay
Bad SSL settings
Missing security headers (with impact)
1. NoneUsing RSA1024
No ASLR
No verification email
Not using argon2 for password hashing
Missing captcha
Bad password policy
Missing DMARC/DKIM/SPF on a mailserver
Not following best practices
IP disclosure