HackerOne supports scoring severities for reports using a CVSS 3.1 calculator. CVSS or the Common Vulnerability Scoring System is an industry standard calculator used to determine the severity of a vulnerability. The standard enables a common language around the severity of vulnerabilities. Learn more about CVSS 3.1.
HackerOne’s implementation of CVSS 3.0 supports the custom environmental metric modifier: “none.” This is no longer supported in CVSS 3.1. When the CVSS 3.1 calculator is used for an asset with a “none” environmental metric modifier, it will be treated as “low” instead. Learn more about environmental scores.
Severity Caps
The affected asset in the report may have a maximum severity. In this case, the calculator will automatically cap the score and severity rating. The presence of a maximum severity will be indicated in the severity calculator.