Note: This rating scale borrows heavily from the scale that Whitehat Security uses for rating web
application security vulnerabilities, with some slight changes to the Impact rating definitions, a different
definition of Overall Risk, and the addition of the Residual Risk rating.
Likelihood
The chance of an attacker discovering the issue and the level of skill and access required to
exploit it.
Numeric
Rating Title Description
• Attack method is obscure, brand-new, or strictly a theory
• Distributed systems knowledge (or insider status) required for
execution
• Origin of attack is typically local
• A month or more of time is required to design and launch attack
• Authentication is required
• Attack vector is highly transient, conditional, and located deep in
the code
• Extremely narrow attack surface
1 Low
• At least one proof-of-concept has been demonstrated, but there
are no records of real world attacks
• Considerable technical skill is required Attack vector is
moderately transient and conditional
• Attack vector is moderately deep in the code
2 Medium
• Tools to automate the attack are available, but require some
background knowledge
• A moderate amount of time and resources are required
• Proofs-of-concept and a few real-world exploits have occurred,
but details may not be known
3 High
• Little time and few resources are needed for execution
• Some background knowledge may be required for execution
Remotely exploitable
• Authentication, if required by the application, is easily defeated
• Details of past exploits somewhat available
4 Critical
• Very low time, resources, and skill levels are needed for
execution
• Easily exploitable
• Can be accidentally triggered by unsuspecting, non-technical
user
• Authentication may not be required
• Details of past exploits and demonstrations are widely available
• Extensive educational materials have been published about this
vulnerability class
• Large, almost universal attack surface with many entry points
5 Urgent
Impact
The potential business impact if a specific vulnerability is exploited.
Numeric
Rating Title Description
1 Very Low / Non-Issue
• Exposes precise versions of applications
• Exposes non-sensitive information
2 Low
• Exposes security settings, software distributions and versions,
database names
• Phishing-related vulnerabilities
• Examples: Information Leakage in HTML Comments, Reflected
Cross-Site Scripting
3 High
• Attacker can assume remote user only, not root or admin
• Partial file-system access (full read access without full write
access)
• Examples: Insufficient Authentication, Parameter Tampering,
Some Types of Persistent Cross-Site Scripting
4 Critical
• Attacker can assume remote root or remote administrator roles
• Exposes entire host to attacker; backend database, personally
identifiable records, credit card data
• Full read and write access, remote execution of commands
• Examples: Insufficient Authorization, SQL Injection, Directory
Traversal
5 Urgent
Overall Risk Rating
A combination of Likelihood and Impact. This is an integer between 1 and 5 - not necessarily an
average of the Likelihood and Impact ratings.
Residual Risk Rating
This is an integer between 1 and 5 indicating the overall remaining risk after the recommended
security improvements / fixes have been implemented.