# Web & Mobile

We use the [Common Vulnerability Scoring System](https://www.first.org/cvss/user-guide) to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

| **Severity**    | **Example Vulnerabilities**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 🔴 **Critical** | <ul><li>Payments manipulation</li><li>SQL Injection (SQLi)</li><li>Remote Code Execution (RCE)</li><li>Business logic flaws causing loss of user funds or assets</li><li>Command Injection</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 🟠 **High**     | <ul><li>Subdomain takeover (on domains linked to wallets or sensitive assets)</li><li>Stored Cross-Site Scripting (XSS)</li><li>Server-Side Request Forgery (SSRF)</li><li>Leakage of sensitive user information affecting >15% of users</li><li>File Inclusion vulnerabilities</li><li><strong>Authentication Bypass:</strong> Full or partial bypass of login, session management, or auth tokens.</li><li><strong>Insecure Direct Object Reference (IDOR):</strong> Accessing unauthorized user data/resources.</li><li><strong>Privilege Escalation</strong> (Medium–High): User accessing or performing admin-only functions.</li></ul> |
| 🟡 **Medium**   | <ul><li>Reflected Cross-Site Scripting (XSS)</li><li>Subdomain takeover (non-wallet domains)</li><li>Two-Factor Authentication (2FA) Bypass</li><li>Leakage of sensitive user information affecting 3%–15% of users</li><li>Cross-Site Request Forgery (CSRF)</li><li>Misconfigured exported Android components (e.g., unvalidated deeplinks, WebView loading attacker-controlled URLs leading to session token leakage)</li></ul>                                                                                                                                                                                                           |
| 🟢 **Low**      | <ul><li>HTML Injection</li><li>Subdomain takeovers <strong>without business impact</strong> (e.g., over a third-party service without access to cookies, auth, or internal APIs).</li><li>No rate limiting on form submissions or public endpoints</li><li>Content Spoofing</li><li>Broken Link Hijacking</li></ul>                                                                                                                                                                                                                                                                                                                          |

Please review the [Out-of-Scope Vulnerabilities](https://docs.hackenproof.com/bug-bounty/vulnerability-classification/web-and-mobile/out-of-scope-bugs) before submitting.