Burp Suite User Forum

Create new post

Severity Ratings

Jon | Last updated: Jan 11, 2016 07:09PM UTC

I understand that the severity ratings are defined based upon the experience of your security researchers and and seeing the vulnerabilities in real applications. What I have not yet been able to identify is what exactly a High, Medium or Low actually means. If a vulnerability is identified as High, what does that mean? Does a high mean that the effort needed to exploit is trivial, and the data exposed is significant? And what would make such a vulnerability a severity of High versus a Medium? Is medium a less trivial exploit, or resulting in minimal data exposure. To help understand what I am asking, you can look at the PCI compliance Level definitions. Starting at page 5 https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

PortSwigger Agent | Last updated: Jan 12, 2016 08:46AM UTC

The severity is a rough indication of the impact of the issue, in a typical application. It indicates, roughly, how bad it would be for the application/owner if the issue was exploited. Any classification of issue severity is inherently vague, ordinal in nature (rather than quantitative), and should be reviewed by the user based on their knowledge of the purpose and context of the associated functionality.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.