Immunefi Vulnerability Severity Classification System - Updated
At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None
This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
For example:
-
A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
-
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
-
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
Smart Contracts/Blockchain
| Level | Examples | |||
|---|---|---|---|---|
| 5. Critical | - Empty or freeze the contract's holdings (e.g. economic attacks, flash loans, reentrancy, MEV, logic errors, integer over-/under-flow) - Cryptographic flaws | |||
| 4. High | - Token holders temporarily unable to transfer holdings - Users spoof each other - Theft of yield - Transient consensus failures | |||
| 3. Medium | - Contract consumes unbounded gas - Block stuffing - Griefing denial of service (i.e. attacker spends as much in gas as damage to the contract) - Gas griefing | |||
| 2. Low | - Contract fails to deliver promised returns, but doesn't lose value | |||
| 1. None | - Best practices |
Websites and Apps
| Level | CWE | Examples |
|---|---|---|
| 5. Critical | CWE-78 | - Remote Code Execution - Code Injection - LDAP Injection |
| CWE-611 | XML External Entity (XXE) | |
| CWE-89 | SQL Injection | |
| CWE-91 | XML Injection | |
| CWE-829 | - Server Side Includes Injection (SSI) - Local File Inclusion(LFI) - Directory/Path Traversal | |
| CWE-918 | Server-Side Request Forgery(SSRF) | |
| 4. High | CWE-862 | - Indirect Object Reference(IDOR) - Horizontal Privilege Escalation - Vertical Privilege Escalation |
| CWE-200 | - Confidential Information Exposure - Private Key Leaks | |
| CWE-79 | Cross-Site Scripting (XSS) | |
| CWE-93 | CRLF Injection | |
| CWE-444 | HTTP Request Smuggling | |
| CWE-434 | Unfiltered File Upload with execution | |
| CWE-16 | - Subdomain Takeovers - Dangling DNS Record | |
| 3. Medium | CWE-494 | Cloud Bucket Uploads |
| CWE-352 | Authenticated Cross-Site Request Forgery(CSRF) | |
| CWE-798 | Hardcoded Credentials | |
| CWE-863 | Authentication Bypass | |
| CWE-16 | Broken Link Bypass | |
| 2. Low | CWE-1021 | Clickjacking State-Changing |
| CWE-400 | Denial of Service | |
| 1. None | CWE-16 | SPF/DMARC/DKIM records |
| CWE-601 | Open Redirects |