Immunefi Vulnerability Severity Classification System - Updated
Being Phased Out
Severity Classification System - Updated is being phased out and is no longer in use by new projects. Please see the Immunefi Severity Classification Systems page to find active and updated classification systems.
At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None
This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
For example:
-
A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
-
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
-
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
Smart Contracts/Blockchain
Level | Examples | |||
---|---|---|---|---|
5. Critical | - Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow) - Cryptographic flaws | |||
4. High | - Token holders temporarily unable to transfer holdings - Users spoof each other - Theft of yield - Transient consensus failures | |||
3. Medium | - Contract consumes unbounded gas - Block stuffing - Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract) - Gas griefing | |||
2. Low | - Contract fails to deliver promised returns, but doesn't lose value | |||
1. None | - Best practices |
Websites and Apps
Level | CWE | Examples |
---|---|---|
5. Critical | CWE-78 | - Remote Code Execution - Code Injection - LDAP Injection |
CWE-611 | XML External Entity (XXE) | |
CWE-89 | SQL Injection | |
CWE-91 | XML Injection | |
CWE-829 | - Server Side Includes Injection (SSI) - Local File Inclusion(LFI) - Directory/Path Traversal | |
CWE-918 | Server-Side Request Forgery(SSRF) | |
4. High | CWE-862 | - Indirect Object Reference(IDOR) - Horizontal Privilege Escalation - Vertical Privilege Escalation |
CWE-200 | - Confidential Information Exposure - Private Key Leaks | |
CWE-79 | Cross-Site Scripting (XSS) | |
CWE-93 | CRLF Injection | |
CWE-444 | HTTP Request Smuggling | |
CWE-434 | Unfiltered File Upload with execution | |
CWE-16 | - Subdomain Takeovers - Dangling DNS Record | |
3. Medium | CWE-494 | Cloud Bucket Uploads |
CWE-352 | Authenticated Cross-Site Request Forgery(CSRF) | |
CWE-798 | Hardcoded Credentials | |
CWE-863 | Authentication Bypass | |
CWE-16 | Broken Link Bypass | |
2. Low | CWE-1021 | Clickjacking State-Changing |
CWE-400 | Denial of Service | |
1. None | CWE-16 | SPF/DMARC/DKIM records |
CWE-601 | Open Redirects |