HackenProof Docs
  • Welcome
    • HackenProof
      • Services we provide
      • Our resources
    • Integrations
      • Slack
      • Discord
      • Telegram
      • Zapier (Webhook)
        • Zapier -> Lark
        • Zapier -> Linear
        • Zapier -> Jira Service Management
        • Zapier -> PagerDuty
        • Zapier -> Google Chat
        • Zapier -> ClickUp
      • Jira Software
      • GitHub Issue
      • GitLab Issue
      • VDP iFrame
    • FAQ
      • Audit & Bug Bounty (BB)
      • Crowdsourced Audit & BB
      • Penetration testing & BB
    • Emergency
      • Reset 2FA
    • Code of Conduct
    • Referral Program
  • Bug Bounty
    • Bug Bounty process
    • How to start Bug Bounty
    • How to create a VDP
    • Vulnerability classification
      • Web & Mobile
        • Out-of-Scope Bugs
      • Smart contracts
      • Blockchain protocols
    • Reports Basics
      • Points Guide
      • Crafting a well-readable report
  • Dashboard
    • Company dashboard
      • Manage programs
      • Manage reports
      • Share report
      • Labels
      • E2E report encryption
      • Reports decrypting with Mailvelope
      • Users and roles
      • Program/Report Assignee
      • Replenish your balance
      • Integrations
    • Hacker dashboard
      • 👉How to start
      • Submit a report
      • Reports Basics
      • Vulnerability classification
      • 👮‍♂️KYC
      • Сreate a crypto wallet
      • 💸Withdraw bounty
      • Hacker Leaderboard
      • Reset 2FA
      • 🍕HackenProof community
      • Report ID
      • Private Program
      • Contact support
    • Company-Auditor dashboard
      • How to start
      • Add members
      • Submit report
      • Contact support
  • Crowdsourced audit
    • Audit process
    • How to start Audit
    • Supported tech
    • Vulnerability classification
    • Reports Basics
    • Qualified Auditors
    • Judging / Triaging
      • Targets
      • Team
    • [CA] Bounty Distribution Rules
    • Fee & Payments
  • DualDefense Audit
    • What is DualDefence Audit
    • General Guidelines
    • How DualDefence Audit goes
    • Contest Phases
    • Vulnerability classification
      • [DD] Smart Contracts
    • [DD] Bounty Distribution Rules
  • good to know
    • Changelog
    • Branding
    • Vulnerability Disclosure
  • Education
    • Courses
    • Tools
    • Useful sources
Powered by GitBook
On this page
  1. Bug Bounty
  2. Vulnerability classification

Web & Mobile

This is a vulnerability classification table for web & mobile applications (v2.0)

PreviousVulnerability classificationNextOut-of-Scope Bugs

Last updated 1 month ago

We use the to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

Severity

Example Vulnerabilities

🔴 Critical

- Payments manipulation - SQL Injection (SQLi) - Remote Code Execution (RCE) - Business logic flaws causing loss of user funds or assets - Command Injection

🟠 High

- Subdomain takeover (on domains linked to wallets or sensitive assets) - Stored Cross-Site Scripting (XSS) - Server-Side Request Forgery (SSRF) - Leakage of sensitive user information affecting >15% of users - File Inclusion vulnerabilities - Authentication Bypass: Full or partial bypass of login, session management, or auth tokens. - Insecure Direct Object Reference (IDOR): Accessing unauthorized user data/resources. - Privilege Escalation (Medium–High): User accessing or performing admin-only functions.

🟡 Medium

- Reflected Cross-Site Scripting (XSS) - Subdomain takeover (non-wallet domains) - Two-Factor Authentication (2FA) Bypass - Leakage of sensitive user information affecting 3%–15% of users - Cross-Site Request Forgery (CSRF)

🟢 Low

- HTML Injection - No rate limiting on form submissions or public endpoints - Content Spoofing - Broken Link Hijacking

Please review the before submitting.

Common Vulnerability Scoring System
Out-of-Scope Vulnerabilities