# Severity Levels Explained

Every finding discovered by the Catchify team is assigned a severity level that reflects how serious the vulnerability is and how urgently it should be addressed. Understanding these levels helps you prioritize your remediation efforts and communicate risk to stakeholders.

## The Five Severity Levels

| Severity          | Color  | Risk Level                           | Typical Response Time              |
| ----------------- | ------ | ------------------------------------ | ---------------------------------- |
| **Critical**      | Red    | Immediate threat to your business    | Address within 24-48 hours         |
| **High**          | Orange | Significant security risk            | Address within 1-2 weeks           |
| **Medium**        | Yellow | Moderate risk that should be planned | Address within 1 month             |
| **Low**           | Blue   | Minor issue with limited impact      | Address in your next release cycle |
| **Informational** | Gray   | Best practice recommendation         | Consider for future improvements   |

## Critical

Critical findings represent the most severe vulnerabilities -- issues that could allow an attacker to take full control of a system, access sensitive data, or cause major business disruption with minimal effort.

**Examples of critical findings:**

* An attacker can access your entire database without authentication
* Remote code execution is possible on your servers
* Administrative accounts can be compromised without credentials
* Sensitive customer data (personal information, financial records) is publicly accessible

{% hint style="warning" %}
Critical findings should be treated as emergencies. We recommend mobilizing your team to address these within 24-48 hours of discovery. The Catchify team will highlight critical findings to you immediately.
{% endhint %}

## High

High-severity findings represent significant security risks. While they may require more specific conditions to exploit than critical findings, they still pose a serious threat to your organization.

**Examples of high findings:**

* Stored cross-site scripting (XSS) that could affect other users
* Privilege escalation allowing a regular user to gain admin access
* Sensitive data exposed through insecure configurations
* Authentication bypasses for non-administrative functions

## Medium

Medium-severity findings are genuine security issues that should be addressed, but they typically require more effort or specific conditions to exploit. These are important to fix as part of your ongoing security improvement plan.

**Examples of medium findings:**

* Cross-site request forgery (CSRF) on important actions
* Information disclosure that reveals system details to potential attackers
* Missing security headers that reduce the effectiveness of browser protections
* Session management weaknesses

## Low

Low-severity findings are minor issues with limited direct impact. While they are unlikely to cause significant damage on their own, they may contribute to a larger attack if left unaddressed.

**Examples of low findings:**

* Verbose error messages revealing software versions
* Minor information leaks in HTTP headers
* Weak password policy enforcement
* Non-sensitive cookies without security flags

## Informational

Informational findings are not vulnerabilities in the traditional sense. They are best practice recommendations and observations that can help strengthen your overall security posture.

**Examples of informational findings:**

* Recommendations for adopting newer security standards
* Suggestions for improving logging and monitoring
* Notes about deprecated software that should be upgraded
* Hardening recommendations for server configurations

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-0bd249e86c305f1317a5aeef1b124134ece74a4e%2Ffindings-list.png?alt=media" alt="Example severity distribution showing counts per level"><figcaption><p>A typical severity distribution -- aim to resolve critical and high findings first</p></figcaption></figure>

## How Severity Is Determined

The Catchify team assigns severity levels based on industry-standard frameworks and considers factors such as:

* **Exploitability** -- How easy is it for an attacker to take advantage of this vulnerability?
* **Impact** -- What is the potential damage if the vulnerability is exploited?
* **Scope** -- How much of your environment or data is affected?
* **Required privileges** -- Does the attacker need existing access, or can anyone exploit it?

{% hint style="info" %}
If you disagree with a severity rating or want to discuss it, add a comment on the finding or contact your account manager. The Catchify team is always open to reviewing severity assessments based on your specific business context.
{% endhint %}

## Prioritizing Remediation

When deciding what to fix first, we recommend this approach:

1. **Start with Critical** -- These need immediate attention
2. **Move to High** -- Address these within your next sprint or release cycle
3. **Plan for Medium** -- Include these in your regular development backlog
4. **Schedule Low and Informational** -- Address these as time allows or bundle them into larger improvement efforts

This approach ensures you are reducing the most significant risks first while still making progress on all findings.