Severity Levels
When our pentesters find vulnerabilities, they also identify severity levels. This helps you understand the associated risk to the business.
OWASP Risk Rating:
Cobalt uses the OWASP Risk Rating Methodology to specify High, Medium, and Low levels. We’ve added Critical and Informational levels to help you prioritize our findings.
We follow the standard risk model described by OWASP, where:
Risk = Likelihood * Impact
In this case, the risk rating is based on the following factors:
Likelihood: Specifies the probability of exploiting the finding. May include factors such as:
- Skill required for an attacker to exploit a vulnerability
- Availability of documented exploits
- Ease of exploiting the vulnerability
Impact: Depends on the effect on technical and business operations. May include:
- Loss of confidentiality
- Problems with data integrity
- Reduced availability of data or systems
- Potential losses of money or reputation
When our pentesters find vulnerabilities, they use the standard OWASP risk model and then classify them into one of the following levels:
| Severity | Score | Description |
|---|---|---|
| Critical | 25 | Includes vulnerabilities that require immediate attention. |
| High | 16-24 | Impacts the security of your application/platform/hardware, including supported systems. Includes high probability vulnerabilities with a high business impact. |
| Medium | 5-15 | Includes vulnerabilities that are: medium risk, medium impact; low risk, high impact; high risk, low impact. |
| Low | 2-4 | Specifies common vulnerabilities with minimal impact. |
| Informational | 1 | Notes vulnerabilities of minimal risk to your business. |
Once our pentesters assign a severity level, we move the finding to Pending Fix, as described in our Finding States.
CVSS v3.1 Scoring System:
To provide further context and standardization, pentesters will also rate findings using the CVSS v3.1 Scoring System in addition to the OWASP severity rating. Testers will complete the CVSS vector inputs, and the system will automatically calculate the score and severity.
The CVSS v3.1 score ranges from 0.0 to 10.0, with the following severity ratings:
| Severity | Score |
|---|---|
| Critical | 9.0-10.0 |
| High | 7.0-8.9 |
| Medium | 4.0-6.9 |
| Low | 0.1-3.9 |
| None | 0.0 |
OWASP and CVSS severity ratings could differ because they evaluate risk using distinct perspectives and scoring methods.
- OWASP: Prioritizes business impact by considering the broader context, including the organization’s objectives, risk tolerance, and the specific environment.
- CVSS: Focuses on technical severity with a standardized score based on the vulnerability’s technical characteristics, without initially factoring in the specific environment or business impact.
For example, a finding with a low CVSS score might have a higher OWASP severity if it’s easy to exploit or if it affects critical data or systems.
Aggregated Risk is the sum of the risks of individual findings discovered in a pentest.
You can view the Aggregated Risk for an asset on the Assets and Insights pages. For details, point to the tooltip on a specific page.