Hackers: Learn how HackerOne calculates report severity

Updated over a week ago

Reports are assigned a severity rating to indicate how severe the vulnerability is. On HackerOne, severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations. The severity rating can be:

  • None

  • Low

  • Medium

  • High

  • Critical

Severity ratings can be assigned in a couple of ways. You can manually select a severity based on your judgment of the vulnerability or use one of the CVSS calculators. The Common Vulnerability Scoring System (CVSS) is an industry-standard calculator used to determine the severity of a vulnerability. The standard enables a common language around the severity of vulnerabilities.HackerOne offers a custom implementation of CVSS 3.0 as well as a standard implementation of CVSS 3.1.

In some cases, the program might use a scoring method other than CVSS. This will be outlined in their policy.

Did this answer your question?