Severity Levels Explained

Every finding discovered by the Catchify team is assigned a severity level that reflects how serious the vulnerability is and how urgently it should be addressed. Understanding these levels helps you prioritize your remediation efforts and communicate risk to stakeholders.

The Five Severity Levels

Critical

Critical findings represent the most severe vulnerabilities -- issues that could allow an attacker to take full control of a system, access sensitive data, or cause major business disruption with minimal effort.

Examples of critical findings:

• An attacker can access your entire database without authentication

• Remote code execution is possible on your servers

• Administrative accounts can be compromised without credentials

• Sensitive customer data (personal information, financial records) is publicly accessible

High

High-severity findings represent significant security risks. While they may require more specific conditions to exploit than critical findings, they still pose a serious threat to your organization.

Examples of high findings:

• Stored cross-site scripting (XSS) that could affect other users

• Privilege escalation allowing a regular user to gain admin access

• Sensitive data exposed through insecure configurations

• Authentication bypasses for non-administrative functions

Medium

Medium-severity findings are genuine security issues that should be addressed, but they typically require more effort or specific conditions to exploit. These are important to fix as part of your ongoing security improvement plan.

Examples of medium findings:

• Cross-site request forgery (CSRF) on important actions

• Information disclosure that reveals system details to potential attackers

• Missing security headers that reduce the effectiveness of browser protections

• Session management weaknesses

Low

Low-severity findings are minor issues with limited direct impact. While they are unlikely to cause significant damage on their own, they may contribute to a larger attack if left unaddressed.

Examples of low findings:

• Verbose error messages revealing software versions

• Minor information leaks in HTTP headers

• Weak password policy enforcement

• Non-sensitive cookies without security flags

Informational

Informational findings are not vulnerabilities in the traditional sense. They are best practice recommendations and observations that can help strengthen your overall security posture.

Examples of informational findings:

• Recommendations for adopting newer security standards

• Suggestions for improving logging and monitoring

• Notes about deprecated software that should be upgraded

• Hardening recommendations for server configurations

How Severity Is Determined

The Catchify team assigns severity levels based on industry-standard frameworks and considers factors such as:

• Exploitability -- How easy is it for an attacker to take advantage of this vulnerability?

• Impact -- What is the potential damage if the vulnerability is exploited?

• Scope -- How much of your environment or data is affected?

• Required privileges -- Does the attacker need existing access, or can anyone exploit it?

Prioritizing Remediation

When deciding what to fix first, we recommend this approach:

1. Start with Critical -- These need immediate attention

2. Move to High -- Address these within your next sprint or release cycle

3. Plan for Medium -- Include these in your regular development backlog

4. Schedule Low and Informational -- Address these as time allows or bundle them into larger improvement efforts

This approach ensures you are reducing the most significant risks first while still making progress on all findings.