Skip to content

Vulnerability Severity

For consistency, Vulcan attempts to use a common criteria for severity in all checks, sometimes going as far as to modify the severity provided by third-party tools to match the common criteria. This page contains basic descriptions of each severity in the context of Vulcan.

Note that this criteria only considers the vulnerability itself regardless of its environment.

Critical

Critical severity issues can directly result in the complete compromise of the asset and the information that it controls. They should be addressed as soon as possible. Examples include code injection vulnerabilities such as SQL injection or buffer overflow.

High

High severity issues can result in partial compromise of the asset and the information that it controls. In combination with other issues, authenticated access or user interaction, they can result in complete compromise of the asset. They should be prioritised and addressed soon. Examples include cross-site scripting and authenticated code injection.

Medium

Medium severity issues usually correspond to security misconfigurations that unnecessarily expose the asset to attacks or may allow a successful attack to have greater impact. They should be taken into account and addressed whenever circumstances allow it. Examples include exposed network services, weak cryptography or lack of security controls.

Low

Low severity issues usually correspond to security practices that could be implemented to enhance the security of the asset. These practices reduce the risk of successful attacks and limit the impact of a potential compromise. They should be taken into account when creating new assets or making a change in the asset that allows for the practice to be implemented. Examples include support of medium-security cryptographic protocols or lack of modern security standards such as CSP, HSTS, DKIM, DMARC or SRI.

Informational

Informational severity issues contain information found while scanning that may help provide context to users or the Security Team when investigating other issues. No action needs to be taken. Examples include information about the assets with regards to operating systems, running services, software versions, supported protocols or headers.