# Web & Mobile

We use the [Common Vulnerability Scoring System](https://www.first.org/cvss/user-guide) to assess the severity of reported vulnerabilities. Below is a classification of accepted issues and their typical severity ratings.

| **Severity**    | **Example Vulnerabilities**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 🔴 **Critical** | <ul><li>Payments manipulation</li><li>SQL Injection (SQLi)</li><li>Remote Code Execution (RCE)</li><li>Business logic flaws causing loss of user funds or assets</li><li>Command Injection</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 🟠 **High**     | <ul><li>Subdomain takeover (on domains linked to wallets or sensitive assets)</li><li>Stored Cross-Site Scripting (XSS)</li><li>Server-Side Request Forgery (SSRF)</li><li>Leakage of sensitive user information affecting >15% of users</li><li>File Inclusion vulnerabilities</li><li><strong>Authentication Bypass:</strong> Full or partial bypass of login, session management, or auth tokens.</li><li><strong>Insecure Direct Object Reference (IDOR):</strong> Accessing unauthorized user data/resources.</li><li><strong>Privilege Escalation</strong> (Medium–High): User accessing or performing admin-only functions.</li></ul> |
| 🟡 **Medium**   | <ul><li>Reflected Cross-Site Scripting (XSS)</li><li>Subdomain takeover (non-wallet domains)</li><li>Two-Factor Authentication (2FA) Bypass</li><li>Leakage of sensitive user information affecting 3%–15% of users</li><li>Cross-Site Request Forgery (CSRF)</li><li>Misconfigured exported Android components (e.g., unvalidated deeplinks, WebView loading attacker-controlled URLs leading to session token leakage)</li></ul>                                                                                                                                                                                                           |
| 🟢 **Low**      | <ul><li>HTML Injection</li><li>Subdomain takeovers <strong>without business impact</strong> (e.g., over a third-party service without access to cookies, auth, or internal APIs).</li><li>No rate limiting on form submissions or public endpoints</li><li>Content Spoofing</li><li>Broken Link Hijacking</li></ul>                                                                                                                                                                                                                                                                                                                          |

Please review the [Out-of-Scope Vulnerabilities](/bug-bounty/vulnerability-classification/web-and-mobile/out-of-scope-bugs.md) before submitting.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hackenproof.com/bug-bounty/vulnerability-classification/web-and-mobile.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.