Evaluating the Severity of Submissions
This page provides a structured approach to classify the severity of your findings accurately, ensuring they are in line with our criteria for low, medium, and high-severity issues.
Understanding Severity in Vulnerability Assessment
The severity of a vulnerability is a measure of its potential impact on the system, considering factors like exploitability, impact on users, and the complexity of mitigation. Accurate severity assessment helps in prioritizing fixes and understanding the risk associated with the vulnerability.
Example Severity Levels Defined
The following are some generic examples of severity levels. However, protocols have complete control over defining these for their own unique needs.
Low Severity: These are typically minor issues that pose a limited impact on the system. They might include: Inefficiencies in gas usage. Minor deviations from best practices that don't lead to security risks. Small bugs that do not affect the protocol's functionality or security.
Medium Severity: These issues represent a greater threat and may include: Vulnerabilities that can cause temporary disruption but do not lead to direct loss of funds or long-term damage. Flaws that require specific conditions or privileges to exploit. Vulnerabilities that impact the user experience but do not compromise the overall security of the protocol.
High Severity: These are critical issues that demand immediate attention, such as: Direct theft or loss of user funds. Long-term freezing of user funds. Vulnerabilities leading to protocol insolvency. Exploits that allow unauthorized control or manipulation of the protocol.
Evaluating the Severity of Your Findings
Analyze Exploitability: Assess how easy it is to exploit the vulnerability. High-severity issues are often easily exploitable, while lower-severity ones require more specific conditions.
Consider Impact: Evaluate the potential damage the vulnerability can cause. High-severity vulnerabilities usually have widespread implications, like loss of funds or user trust.
Review Attack Complexity: Consider how complex it is to execute the attack. The simpler it is, the higher the severity.
Check for Mitigation and Workarounds: Determine if there are easy fixes or workarounds. Issues without straightforward solutions are often of higher severity.
Contextualize Within the Protocol: Understand how the vulnerability fits within the broader context of the protocol. Issues affecting core functionalities are generally of higher severity.
Another helpful principle to take into account is the combined impact and probability of an exploit. The combination of these two factors can help inform your evaluation of a finding severity level.
Last updated