Severity Levels

Finding severity levels.

When our pentesters find vulnerabilities, they also identify severity levels. This helps you understand the associated risk to the business.

The OWASP Risk Rating Methodology specifies High, Medium, and Low levels. We’ve added Critical and Informational levels to help you prioritize our findings.

Severity levels in the Cobalt app

We follow the standard risk model described by OWASP, where:

Risk = Likelihood * Impact

In this case, the risk rating is based on the following factors:

  • Likelihood: Specifies the probability of exploiting the finding. May include factors such as:

    • Skill required for an attacker to exploit a vulnerability
    • Availability of documented exploits
    • Ease of exploiting the vulnerability
  • Impact: Depends on the effect on technical and business operations. May include:

    • Loss of confidentiality
    • Problems with data integrity
    • Reduced availability of data or systems
    • Potential losses of money or reputation

When our pentesters find vulnerabilities, they use the standard OWASP risk model and then classify them into one of the following levels:

CategoryScoreDescription
Critical25Includes vulnerabilities that require immediate attention.
High16-24Impacts the security of your application/platform/hardware, including supported systems. Includes high probability vulnerabilities with a high business impact.
Medium5-15Includes vulnerabilities that are: medium risk, medium impact; low risk, high impact; high risk, low impact.
Low2-4Specifies common vulnerabilities with minimal impact.
Informational1Notes vulnerabilities of minimal risk to your business.

Once our pentesters assign a severity level, we move the finding to Pending Fix, as described in our Finding States.

Aggregated Risk

Aggregated Risk is the sum of the risks of individual findings discovered in a pentest.

You can view the Aggregated Risk for an asset on the Assets and Insights pages. For details, point to the tooltip on a specific page.

Last modified December 18, 2024