Web & Mobile

This is a vulnerability classification table for web & mobile applications (v2.0)

We use the Common Vulnerability Scoring System to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

Severity

Example Vulnerabilities

🔴 Critical

- Payments manipulation - SQL Injection (SQLi) - Remote Code Execution (RCE) - Business logic flaws causing loss of user funds or assets - Command Injection

🟠 High

- Subdomain takeover (on domains linked to wallets or sensitive assets) - Stored Cross-Site Scripting (XSS) - Server-Side Request Forgery (SSRF) - Leakage of sensitive user information affecting >15% of users - File Inclusion vulnerabilities - Authentication Bypass: Full or partial bypass of login, session management, or auth tokens. - Insecure Direct Object Reference (IDOR): Accessing unauthorized user data/resources. - Privilege Escalation (Medium–High): User accessing or performing admin-only functions.

🟡 Medium

- Reflected Cross-Site Scripting (XSS) - Subdomain takeover (non-wallet domains) - Two-Factor Authentication (2FA) Bypass - Leakage of sensitive user information affecting 3%–15% of users - Cross-Site Request Forgery (CSRF)

🟢 Low

- HTML Injection - No rate limiting on form submissions or public endpoints - Content Spoofing - Broken Link Hijacking

Please review the Out-of-Scope Vulnerabilities before submitting.

PreviousVulnerability classification NextOut-of-Scope Bugs

Last updated 1 month ago