Severity Levels
Most vulnerability reports group findings into four levels. The labels map directly to how fast you should fix them:
LevelCVSS RangeActionExample
**Critical**9.0 - 10.0Fix immediately. Drop what you're doing.Remote code execution, SQL injection, exposed admin panel with no auth
**High**7.0 - 8.9Fix this week.XSS, missing authentication on API, open database port
**Medium**4.0 - 6.9Schedule in current sprint.Missing security headers, permissive CORS, information disclosure
**Low**0.1 - 3.9Fix when convenient.Server version disclosure, missing Referrer-Policy, cookie without SameSite
## CVSS Scores Explained
CVSS stands for Common Vulnerability Scoring System. It's maintained by [FIRST.org](https://www.first.org/cvss/) and provides a standardized way to rate vulnerability severity on a 0-10 scale. Version 3.1 is the current standard (version 4.0 is rolling out).
The score is calculated from three groups of metrics:
- **Base metrics** — How easy is it to exploit? What access does the attacker need? What impact does it have? These don't change over time.
- **Temporal metrics** — Is there a known exploit in the wild? Is a patch available? These change as the situation evolves.
- **Environmental metrics** — How important is the affected system in your specific environment? A vulnerability in a test server scores differently than the same vulnerability in your payment system.
Base metric breakdown:
- **Attack Vector (AV)** — Network (remote), Adjacent (local network), Local (physical access), Physical. Network is the most dangerous because anyone on the internet can try it.
- **Attack Complexity (AC)** — Low (no special conditions needed) or High (requires specific configuration or race conditions).
- **Privileges Required (PR)** — None, Low (regular user), or High (admin). None is worst because it means unauthenticated attacks.
- **User Interaction (UI)** — None (attacker can exploit without anyone clicking anything) or Required (victim must click a link or visit a page).
- **Impact: Confidentiality, Integrity, Availability** — Each rated None, Low, or High. A vulnerability that gives full read access to the database scores High confidentiality impact.
You can calculate scores yourself using the FIRST.org CVSS Calculator.
## What Is a CVE ID?
CVE stands for Common Vulnerabilities and Exposures. A CVE ID (like `CVE-2024-12345`) is a unique identifier assigned to a specific known vulnerability. The format is `CVE-[year]-[number]`.
CVE IDs are assigned by CVE Numbering Authorities (CNAs) and cataloged by [MITRE](https://cve.mitre.org/). The [NIST National Vulnerability Database (NVD)](https://nvd.nist.gov/) enriches each CVE with CVSS scores, affected software versions, and references.
When a report lists a CVE:
- Look up the CVE ID on NVD to see the full description and CVSS score
- Check which software versions are affected
- Check if a patch or updated version is available
- Update the affected software to the patched version
## Prioritizing Fixes
Don't try to fix everything at once. Use this framework:
- **Fix Critical findings first.** These are actively exploitable and have high impact. Hours matter.
- **Fix High findings next.** These are exploitable but may require more effort or have lower impact.
- **Group Medium findings into your regular development cycle.** Sprint planning, tech debt tickets, or maintenance windows.
- **Address Low findings opportunistically.** When you're already editing the relevant code or config.
Context matters. A "Medium" CORS misconfiguration on your marketing site is genuinely medium. The same finding on your banking API is effectively Critical because of the data at risk. Adjust priorities based on what the affected system does.
## Reading Scan Results
When you run a scan with [ismycodesafe.com](/), results are grouped by category and severity. Here's what to focus on:
- **Security Grade (A-F)** — Your overall score. A and B are good. C needs attention. D and F need immediate work.
- **Critical and High findings** — Read these first. Each finding includes what was detected, why it matters, and how to fix it.
- **OWASP mapping** — Each finding is mapped to an OWASP Top 10 category. This helps you understand the type of risk.
- **CVE references** — If outdated software is detected, the report lists specific CVEs with CVSS scores. Look these up on NVD for details.
- **Technology stack** — Shows what the scanner detected about your tech stack. Verify this is accurate — unexpected technologies may indicate a compromise or misconfiguration.
This article was originally published on ismycodesafe.com.
Want to check your website's security? Run a free scan
Top comments (0)