Immunefi Vulnerability Severity Classification System
At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None
This scale encompasses all the aspects of a bug, from the consequence of a successful exploit, to the level of access required to exploit it, to the probability that an exploitation attempt will be successful.
For example:
-
A bug that results in loss of contract funds is more severe than a bug that temporarily prevents token holders from transferring their tokens.
-
A bug that can be triggered by any token holder is more severe than a bug that requires a pricing oracle to go rogue.
-
A bug that can be triggered by a third party invoking a particular function/method is more severe than a bug that requires the affected token holder to invoke that same function/method.
The table below is mostly concerned with the consequence of a successful exploit. Keep in mind that if the exploit requires elevated privileges or uncommon user interaction, the level of the bug may be downgraded to reflect that.
Smart Contracts/Blockchain
| Level | Examples |
|---|---|
| 5. Critical | Empty or freeze the contract’s holdings (e.g. economic attacks, flash loans, reentrancy, logic errors, integer over-/under-flow) |
| Cryptographic flaws | |
| 4. High | Theft of yield |
| Token holders temporarily unable to transfer holdings | |
| Users spoof each other | |
| Trusting trust/composability bugs may be Critical, High, or Medium depending on the outcome | |
| Transient consensus failures | |
| 3. Medium | Contract out of gas |
| Contract consumes unbounded gas | |
| Block stuffing | |
| Denial of service (e.g. spamming block space) | |
| 2. Low | Contract fails to deliver promised returns, but doesn't lose value |
| 1. None | Not following best practices |
Websites and Apps
| Level | Examples |
|---|---|
| 5. Critical | Deletion of site data |
| XSS/CSRF | |
| Arbitrary code execution | |
| Shell access on the server | |
| SQL injection | |
| 4. High | Users spoof each other |
| Leaking user data | |
| Insufficient validation before viewing sensitive pages | |
| Dumping, but not modifying database | |
| 3. Medium | Denial of service |
| Site goes down | |
| DNS zone transfer misconfiguration | |
| 2. Low | DoS amplification |
| Unsecured recursive DNS resolver | |
| Open SMTP relay | |
| Bad SSL settings | |
| Missing security headers (with impact) | |
| 1. None | Using RSA1024 |
| No ASLR | |
| No verification email | |
| Not using argon2 for password hashing | |
| Missing captcha | |
| Bad password policy | |
| Missing DMARC/DKIM/SPF on a mailserver | |
| Not following best practices | |
| IP disclosure |