Understanding Vulnerability Severity

Every check in Fortify's SecureBase includes a severity. The severity is determined and assigned by Fortify Security Researchers.

Severity Descriptions

Severity descriptions are as follows:

• Low – Interesting issues, or issues that could potentially become more severe.

• Medium – Non-HTML errors or issues that could be sensitive.

• High – Generally, the ability to view source code, files out of the Web root, and sensitive error messages.

• Critical – An attacker might have the ability to execute commands on the server or retrieve and modify private information.

How Severity is Determined

When assigning a severity, Fortify Security Researchers consider the real world impact of the vulnerability, including the following aspects:

• The maximum damage that could result if the vulnerability were exploited

• The conditions of the issue that the check can detect

• Any related Common Vulnerabilities and Exposures (CVEs)

The Research Team then debates to reach consensus and assigns a number as described in the following table.

Assigned Number	Severity
0 - 9	Normal 1 This severity is not displayed in ScanCentral DAST findings.
10	Information 2 This severity is not displayed in ScanCentral DAST findings.
11 - 25	Low
26 - 50	Medium
51 - 75	High
76 - 100	Critical