Severity Assessment in Vulnerability Testing

In the Testing Phase of bug hunting, accurately assessing the severity of each confirmed vulnerability is crucial. This process involves evaluating the potential impact of a vulnerability on the application and its users, which aids in prioritizing remediation efforts and focusing on issues with significant consequences.

Importance of Severity Assessment

Not all vulnerabilities pose the same level of risk. By determining the severity, bug hunters and organizations can:

  • Prioritize Remediation: Address critical vulnerabilities promptly to mitigate substantial risks.

  • Allocate Resources Efficiently: Focus efforts on vulnerabilities that could cause the most harm.

  • Communicate Impact Clearly: Provide stakeholders with a clear understanding of potential risks.

Factors Influencing Severity Levels

Several factors contribute to assessing the severity of a vulnerability:

  1. Exploitability: How easily can the vulnerability be exploited?

  2. Impact on Confidentiality, Integrity, and Availability (CIA Triad):

    • Confidentiality: Could sensitive information be disclosed?

    • Integrity: Can data be altered or corrupted?

    • Availability: Might the system become unavailable or disrupted?

  3. Affected Systems: Which systems or components are impacted?

  4. User Interaction: Does exploitation require user action?

  5. Authentication Requirements: Is authentication needed to exploit the vulnerability?

Common Severity Rating Systems

Standardized frameworks help in assigning severity levels:

1. Common Vulnerability Scoring System (CVSS)

CVSS provides a numerical score (0.0 to 10.0) based on various metrics, translating into qualitative ratings:

  • None: 0.0

  • Low: 0.1–3.9

  • Medium: 4.0–6.9

  • High: 7.0–8.9

  • Critical: 9.0–10.0

For detailed information, refer to the NVD Vulnerability Metrics.

Common Vulnerability Scoring System Calculator

Use the link below to access the CVSS v3 Calculator https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

2. OWASP Risk Rating Methodology

OWASP assesses risk based on Likelihood and Impact, each evaluated through specific factors:

  • Likelihood Factors:

    • Threat Agent Factors: Skill level, motive, opportunity, size.

    • Vulnerability Factors: Ease of discovery, ease of exploit, awareness, intrusion detection.

  • Impact Factors:

    • Technical Impact: Loss of confidentiality, integrity, availability, accountability.

    • Business Impact: Financial damage, reputation damage, non-compliance, privacy violation.

For more details, see the OWASP Risk Rating Methodology.

Examples of Severity Assessment

  • High Severity: An XSS vulnerability that allows an attacker to steal user cookies, leading to session hijacking.

  • Medium Severity: An SQL Injection vulnerability that requires authentication and can access non-sensitive data.

  • Low Severity: An information disclosure vulnerability revealing non-sensitive system details.

Best Practices for Severity Assessment

  • Use Standardized Frameworks: Apply CVSS or OWASP methodologies for consistency.

  • Consider Business Context: Evaluate how the vulnerability affects the specific organization.

  • Document Rationale: Provide clear reasoning for assigned severity levels.

  • Stay Updated: Keep abreast of emerging threats and adjust assessments accordingly.

By systematically assessing the severity of vulnerabilities, bug hunters can effectively prioritize issues, ensuring that the most critical threats are addressed promptly to maintain the security and integrity of applications.

Last updated