Reports are marked with a severity rating to show how severe the vulnerability is in the report submission form. The severity rating can be seen on reports, Hacktivity, and in the Inbox. On HackerOne, severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations.

The severity level can be marked as:

Researchers can either use manual severity selection and select one of these severity levels based on their judgment of the vulnerability or use a CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score. You can configure your submission requirements to require researchers to assign a severity.

The Common Vulnerability Scoring System (CVSS) is an industry-standard calculator used to determine the severity of a vulnerability. The standard enables a common language around the severity of vulnerabilities. HackerOne offers a custom implementation of CVSS 3.0 as well as a standard implementation of CVSS 3.1 and CVSS 4.0. You can use any of these or a combination of them for your program.

You can also configure your submission requirements to require researchers to assign a severity.

To set your CVSS & severity preferences, go to Engagements and click the kabob menu (three vertical dots) on the engagement in question. Then, click Settings > Hacker management > Submission. Select what you need, then click Update calculation methods to save.

If your program has a unique severity approach, describe it on your Security Page and let hackers manually select severity.

Reports can be linked to an asset. In these cases, the asset's environmental metrics and maximum severity are taken into consideration when assigning the score.

You can read more details about CVSS here or check out our blog post.