Please know that you are not in a competition. Don't increase the severity of the findings unnecessarily.
A bug bar can help you. Here is an example of a bug bar criteria with examples for each level:
Critical
Which means: Severe, Catastrophic, UrgentA security vulnerability that would be rated as having the highest potential for damage. It usually involves remote code execution, elevation of privilege, or denial of service without user interaction or with minimal user interaction.
Examples:
- A network worm that can infect and compromise any system on the internet without user interaction
- A SQL injection that allows an attacker to execute arbitrary commands on a database server
- A buffer overflow that allows an attacker to run arbitrary code on a web server by sending a specially crafted request
High
Which means: Major, Serious, SignificantA security vulnerability that would be rated as having significant potential for damage, but less than critical. It usually involves remote code execution, elevation of privilege, or denial of service with extensive user interaction or with mitigating factors.
Examples:
- A cross-site scripting (XSS) that allows an attacker to execute arbitrary scripts on a web page by tricking a user into clicking a malicious link
- A local file inclusion LFI that allows an attacker to read arbitrary files on a web server by manipulating a parameter in the URL
- A denial-of-service that causes a web server to crash by sending a large number of requests in a short period of time
Medium
Which means: Moderate, Important, ConsiderableA security vulnerability that would be rated as having moderate potential for damage, but less than high. It usually involves security-issues with moderate user interaction or with mitigating factors.
Examples:
- A broken object-level access control that allows an attacker to access unauthorized data by changing a parameter in the URL
- A phishing email that impersonates a legitimate sender and asks the user to provide sensitive information or click a malicious link
- A cross-site request forgery (CSRF) that allows an attacker to perform unauthorized actions on behalf of a user by exploiting a web applications trust in the users browser
Low
Which means: Minor, Low-priority, NegligibleA security vulnerability that would be rated as having low potential for damage, but less than medium. It usually involves security-issues with extensive user interaction or with mitigating factors.
Examples:
- An insecure cookie that does not have the secure or httpOnly flags set and can be intercepted or manipulated by an attacker
- A weak password policy that allows users to choose easy-to-guess passwords or reuse passwords across multiple accounts
- A missing or invalid digital signature that does not verify the authenticity or integrity of a software package or update
Informational
Which means: Advisory, Informative, EducationalA security vulnerability that would be rated as having no potential for damage but may indicate a weakness or a best practice violation. It usually involves security-issues with minimal impact or relevance.
Examples:
- An outdated software version that does not affect the functionality or security of the system but may indicate a lack of maintenance or patching
- A verbose error message that reveals unnecessary details about the system configuration or implementation but does not expose sensitive data
- A missing or incomplete security header that does not affect the security of the web application but may improve its resilience against certain attacks