You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/programs/severity.md
+9-7Lines changed: 9 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -6,11 +6,15 @@ id: "programs/severity"
6
6
7
7
Reports are marked with a severity rating to show how severe the vulnerability is in the report submission form. The severity rating can be seen on reports, hacktivity, and in the inbox. On HackerOne, severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations. The severity level can be marked as:
8
8
9
-
9
+
10
10
11
-
HackerOne utilizes the Common Vulnerability Scoring System (CVSS) - an industry standard calculator used to determine the severity of a bug. CVSS enables a common language around the severity of bugs. Hackers can either choose a severity level based on their own judgment of the vulnerability, or they can use the CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score.
11
+
HackerOne utilizes the Common Vulnerability Scoring System (CVSS) - an industry standard calculator used to determine the severity of a vulnerability. The CVSS enables a common language around the severity of vulnerabilities.
12
12
13
-
The CVSS Calculator provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting its severity. The numerical score is directly mapped to one of these descriptors: None, Low, Medium, High, Critical. These descriptors can then help you assess and prioritize your inbound vulnerabilities.
13
+
>**Note:** It's optional for hackers to submit a severity rating.
14
+
15
+
Hackers can either choose a severity level based on their own judgment of the vulnerability, or they can use the CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score.
16
+
17
+
The CVSS Calculator provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting its severity. The numerical score is directly mapped to one of these descriptors: *None, Low, Medium, High, Critical*. These descriptors can then help you assess and prioritize your inbound vulnerabilities.
14
18
15
19
There are 8 metrics defined for CVSS v3. The first 5 are about the attack method itself, while the latter three are dependent on how your program assesses impact - the direct consequence of a successful exploit. These are the different components to the CVSS Calculator:
16
20
@@ -25,12 +29,10 @@ Confidentiality | The impact of the bug as it relates to confidential informatio
25
29
Integrity | Whether the data can be modified due to the vulnerability.
26
30
Availability | Whether data or functionality can be rendered inaccessible. The impact to the availability of the impacted component.
27
31
28
-
32
+
29
33
30
-
Instead of using the CVSS calculator, hackers can simply choose an estimated severity for the report.
34
+
Instead of using the CVSS calculator, hackers can simply choose an estimated severity for the report by selecting whether the severity of a vulnerability is either *None, Low, Medium, High,* or *Critical*.
31
35
32
36
If your program has a custom methodology for determining severity, it's best to describe it on your Security Page.
33
37
34
-
><i>Note: It's optional for the hacker to submit a severity rating.</i>
35
-
36
38
You can read more details about CVSS [here](https://www.first.org/cvss/user-guide) or check out our [blog post](https://www.hackerone.com/blog/introducing-severity-cvss).
0 commit comments