A severity level is applied to a vulnerability, to indicate the risk for that vulnerability in an application. Severity levels are key factors in vulnerability assessment, and can be:
- Low: the application may expose some data allowing vulnerability mapping, which can be used with other vulnerabilities to attack the application.
- Medium: may allow attackers under some conditions to access sensitive data on your application.
- High: may allow attackers to access sensitive data on your application.
- Critical: may allow attackers to access sensitive data and run code on your application.
Determining severity levels
The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
|Severity level||CVSS score|
|Low||0.0 - 3.9|
|Medium||4.0 - 6.9|
|High||7.0 - 8.9|
|Critical||9.0 - 10.10|
Severity and priority scoring
Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information. Together, this scoring helps developers determine which vulnerabilities should be addressed first.
See Snyk Priority Score for details of how severity levels are used in Snyk's priority scores.
Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the initial dashboard:
For your projects:
And for each vulnerability in a project:
See Getting started documentation for more details of using Snyk.