Web & Mobile

This is a vulnerability classification table for web & mobile applications (v2.0)

We use the Common Vulnerability Scoring System to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

Severity

Example Vulnerabilities

🔴 Critical

  • Payments manipulation

  • SQL Injection (SQLi)

  • Remote Code Execution (RCE)

  • Business logic flaws causing loss of user funds or assets

  • Command Injection

🟠 High

  • Subdomain takeover (on domains linked to wallets or sensitive assets)

  • Stored Cross-Site Scripting (XSS)

  • Server-Side Request Forgery (SSRF)

  • Leakage of sensitive user information affecting >15% of users

  • File Inclusion vulnerabilities

  • Authentication Bypass: Full or partial bypass of login, session management, or auth tokens.

  • Insecure Direct Object Reference (IDOR): Accessing unauthorized user data/resources.

  • Privilege Escalation (Medium–High): User accessing or performing admin-only functions.

🟡 Medium

  • Reflected Cross-Site Scripting (XSS)

  • Subdomain takeover (non-wallet domains)

  • Two-Factor Authentication (2FA) Bypass

  • Leakage of sensitive user information affecting 3%–15% of users

  • Cross-Site Request Forgery (CSRF)

🟢 Low

  • HTML Injection

  • Subdomain takeovers without business impact (e.g., over a third-party service without access to cookies, auth, or internal APIs).

  • No rate limiting on form submissions or public endpoints

  • Content Spoofing

  • Broken Link Hijacking

Please review the Out-of-Scope Vulnerabilities before submitting.

PreviousVulnerability classificationNextOut-of-Scope Bugs

Last updated