Classification

Our application employs a hybrid classification system, combining CVSS-based (Common Vulnerability Scoring System) severity scoring with domain-specific risk factors to provide a comprehensive vulnerability assessment.

Findings are classified into the following severity levels:

Critical

Severe vulnerabilities with immediate, significant impact; often involving direct fund loss or full system compromise.

High

Serious flaws that could lead to major security breaches or substantial financial risks if exploited.

Medium

Notable vulnerabilities that pose moderate risks and should be addressed in due course.

Low

Minor issues or theoretical vulnerabilities with limited practical impact. These are observations, best practice recommendations, or potential future concerns that don't pose immediate security risks.

Info

Informational notes and best practices that improve security posture, but are not directly exploitable vulnerabilities.

Key Principles

1. No internal ranking: All findings within the same severity bucket (e.g., Medium) carry the same weight. There is no concept of “Medium-A” versus “Medium-B”.
2. CVSS mapping: We use the CVSS base score as an input and map it to buckets as follows:
   • 0.0 – 3.9 → Low
   • 4.0 – 6.9 → Medium
   • 7.0 – 8.9 → High
   • 9.0 – 10.0 → Critical