Severity test

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Smart Contracts/Blockchain

FeatureSupport
CommonMark100%
GFM100% w/ remark-gfm
  <td>
    <ul>
      <li>
        Empty or freeze the contract’s holdings
        <br />
        (e.g. economic attacks, flash loans, reentrancy, logic errors,
        integer over-/under-flow)
      </li>
      <li>Cryptographic flaws</li>
    </ul>
  </td>
</tr>

<tr>
  <td>4. High</td>

  <td>
    <ul>
      <li>Token holders temporarily unable to transfer holdings</li>
      <li>Users spoof each other</li>
      <li>
        Trusting trust/composability bugs may be Critical, High, or Medium
        depending on the outcome
      </li>
      <li>Transient consensus failures</li>
    </ul>
  </td>
</tr>

<tr>
  <td>3. Medium</td>

  <td>
    <ul>
      <li>Contract out of gas</li>
      <li>Contract consumes unbounded gas</li>
      <li>Block stuffing</li>
      <li>Denial of service (e.g. spamming block space)</li>
    </ul>
  </td>
</tr>

<tr>
  <td>2. Low</td>

  <td>
    <ul>
      <li>
        Contract fails to deliver promised returns, but doesn't lose value
      </li>
    </ul>
  </td>
</tr>

<tr>
  <td>1. None</td>

  <td>
    <ul>
      <li>Not following best practices</li>
    </ul>
  </td>
</tr>
LevelExamples
5. Critical

Websites and Apps

  <td>
    <ul>
      <li>Deletion of site data</li>
      <li>XSS/CSRF</li>
      <li>Arbitrary code execution</li>
      <li>Shell access on the server</li>
      <li>SQL injection</li>
    </ul>
  </td>
</tr>

<tr>
  <td>4. High</td>

  <td>
    <ul>
      <li>Users spoof each other</li>
      <li>Leaking user data</li>
      <li>Insufficient validation before viewing sensitive pages</li>
      <li>Dumping, but not modifying database</li>
    </ul>
  </td>
</tr>

<tr>
  <td>3. Medium</td>

  <td>
    <ul>
      <li>Denial of service</li>
      <li>Site goes down</li>
      <li>DNS zone transfer misconfiguration</li>
    </ul>
  </td>
</tr>

<tr>
  <td>2. Low</td>

  <td>
    <ul>
      <li>DoS amplification</li>
      <li>Unsecured recursive DNS resolver</li>
      <li>Open SMTP relay</li>
      <li>Bad SSL settings</li>
      <li>Missing security headers (with impact)</li>
    </ul>
  </td>
</tr>

<tr>
  <td>1. None</td>

  <td>
    <ul>
      <li>Using RSA1024</li>
      <li>No ASLR</li>
      <li>No verification email</li>
      <li>Not using argon2 for password hashing</li>
      <li>Missing captcha</li>
      <li>Bad password policy</li>
      <li>Missing DMARC/DKIM/SPF on a mailserver</li>
      <li>Not following best practices</li>
    </ul>
  </td>
</tr>
LevelExamples
5. Critical