> For the complete documentation index, see [llms.txt](https://bugbounty-for-starters.humbertojunior.com.br/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bugbounty-for-starters.humbertojunior.com.br/testing-phase/severity-assessment-in-vulnerability-testing.md).

# Severity Assessment in Vulnerability Testing

In the **Testing Phase** of bug hunting, accurately assessing the severity of each confirmed vulnerability is crucial. This process involves evaluating the potential impact of a vulnerability on the application and its users, which aids in prioritizing remediation efforts and focusing on issues with significant consequences.

### Importance of Severity Assessment

Not all vulnerabilities pose the same level of risk. By determining the severity, bug hunters and organizations can:

* **Prioritize Remediation**: Address critical vulnerabilities promptly to mitigate substantial risks.
* **Allocate Resources Efficiently**: Focus efforts on vulnerabilities that could cause the most harm.
* **Communicate Impact Clearly**: Provide stakeholders with a clear understanding of potential risks.

### Factors Influencing Severity Levels

Several factors contribute to assessing the severity of a vulnerability:

1. **Exploitability**: How easily can the vulnerability be exploited?
2. **Impact on Confidentiality, Integrity, and Availability (CIA Triad)**:
   * **Confidentiality**: Could sensitive information be disclosed?
   * **Integrity**: Can data be altered or corrupted?
   * **Availability**: Might the system become unavailable or disrupted?
3. **Affected Systems**: Which systems or components are impacted?
4. **User Interaction**: Does exploitation require user action?
5. **Authentication Requirements**: Is authentication needed to exploit the vulnerability?

### Common Severity Rating Systems

Standardized frameworks help in assigning severity levels:

#### 1. Common Vulnerability Scoring System (CVSS)

CVSS provides a numerical score (0.0 to 10.0) based on various metrics, translating into qualitative ratings:

* **None**: 0.0
* **Low**: 0.1–3.9
* **Medium**: 4.0–6.9
* **High**: 7.0–8.9
* **Critical**: 9.0–10.0

For detailed information, refer to the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics/cvss).

### Common Vulnerability Scoring System Calculator <a href="#cvssheadertext" id="cvssheadertext"></a>

<figure><img src="/files/BMrDXtzE9SJXovIFaUJE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6VUGNr76KpsdAKnA51ng" alt=""><figcaption></figcaption></figure>

Use the link below to access the CVSS v3 Calculator\
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator>

#### 2. OWASP Risk Rating Methodology

OWASP assesses risk based on **Likelihood** and **Impact**, each evaluated through specific factors:

* **Likelihood Factors**:
  * **Threat Agent Factors**: Skill level, motive, opportunity, size.
  * **Vulnerability Factors**: Ease of discovery, ease of exploit, awareness, intrusion detection.
* **Impact Factors**:
  * **Technical Impact**: Loss of confidentiality, integrity, availability, accountability.
  * **Business Impact**: Financial damage, reputation damage, non-compliance, privacy violation.

For more details, see the [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology).

### Examples of Severity Assessment

* **High Severity**: An XSS vulnerability that allows an attacker to steal user cookies, leading to session hijacking.
* **Medium Severity**: An SQL Injection vulnerability that requires authentication and can access non-sensitive data.
* **Low Severity**: An information disclosure vulnerability revealing non-sensitive system details.

### Best Practices for Severity Assessment

* **Use Standardized Frameworks**: Apply CVSS or OWASP methodologies for consistency.
* **Consider Business Context**: Evaluate how the vulnerability affects the specific organization.
* **Document Rationale**: Provide clear reasoning for assigned severity levels.
* **Stay Updated**: Keep abreast of emerging threats and adjust assessments accordingly.

By systematically assessing the severity of vulnerabilities, bug hunters can effectively prioritize issues, ensuring that the most critical threats are addressed promptly to maintain the security and integrity of applications.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://bugbounty-for-starters.humbertojunior.com.br/testing-phase/severity-assessment-in-vulnerability-testing.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.