How to choose the Correct Severity or CVSS Score for a Bug: A Practical Guide
1 min read
Summary
Choosing the right severity level for a bug when performing a bug bounty is important as it reflects the flaw’s impact and how serious the issue will be taken.
Severity ratings are typically labelled as Low, Medium, High, and Critical, but the Common Vulnerability Scoring System (CVSS) is a more detailed and systematic scoring method that asses aspects such as attack vector, attack complexity, privileges required, user interaction, scope, and impact.
For example, a vulnerability allowing unauthorised modification of a web hosting configuration, such as in the Huliahub example outlined in the summary, would be rated as High severity with a CVSS score of 8.3 out of 10.
It is important to objectively assess each of the CVSS metrics when choosing a severity level and use CVSS calculators to gauge the resultant score.
When submitting a bug, it is advised to give a clear and detailed explanation of how you arrived at the severity rating to ensure the development team understands the risk.