Immunefi Vulnerability Severity Classification System - Updated

Being Phased Out

Severity Classification System - Updated is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.

At Immunefi, we classify bugs on a simplified 5-level scale:

  • Critical
  • High
  • Medium
  • Low
  • None

This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.

For example:

  • A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.

  • A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.

  • A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.

The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.

Smart Contracts/Blockchain

5. Critical- Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow)
- Cryptographic flaws
4. High- Token holders temporarily unable to transfer holdings
- Users spoof each other
- Theft of yield
- Transient consensus failures
3. Medium- Contract consumes unbounded gas
- Block stuffing
- Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract)
- Gas griefing
2. Low- Contract fails to deliver promised returns, but doesn't lose value
1. None- Best practices

Websites and Apps

5. CriticalCWE-78- Remote Code Execution
- Code Injection
- LDAP Injection
CWE-611XML External Entity (XXE)
CWE-89SQL Injection
CWE-91XML Injection
CWE-829- Server Side Includes Injection (SSI)
- Local File Inclusion(LFI)
- Directory/Path Traversal
CWE-918Server-Side Request Forgery(SSRF)
4. HighCWE-862- Indirect Object Reference(IDOR)
- Horizontal Privilege Escalation
- Vertical Privilege Escalation
CWE-200- Confidential Information Exposure
- Private Key Leaks
CWE-79Cross-Site Scripting (XSS)
CWE-93CRLF Injection
CWE-444HTTP Request Smuggling
CWE-434Unfiltered File Upload with execution
CWE-16- Subdomain Takeovers
- Dangling DNS Record
3. MediumCWE-494Cloud Bucket Uploads
CWE-352Authenticated Cross-Site Request Forgery(CSRF)
CWE-798Hardcoded Credentials
CWE-863Authentication Bypass
CWE-16Broken Link Bypass
2. LowCWE-1021Clickjacking State-Changing
CWE-400Denial of Service
1. NoneCWE-16SPF/DMARC/DKIM records
CWE-601Open Redirects