Severity & Confidence
How Secbez assigns severity ratings using CVSS 3.1 scoring and confidence levels to help you prioritize fixes.
Every finding has two independent ratings: severity (how bad is it?) and confidence (how sure are we?).
Severity levels
Severity is based on the potential impact if the vulnerability is exploited, calculated using the industry-standard CVSS 3.1 scoring system.
| Level | CVSS Score | Meaning | Examples |
|---|---|---|---|
| Critical | 9.0 - 10.0 | Immediate, severe impact. Exploitable remotely with no authentication. | Unauthenticated RCE, SQL injection exposing all data |
| High | 7.0 - 8.9 | Significant impact, relatively easy to exploit | Authenticated SQL injection, IDOR on sensitive data |
| Medium | 4.0 - 6.9 | Moderate impact or requires specific conditions | XSS requiring user interaction, missing auth on non-sensitive endpoint |
| Low | 0.1 - 3.9 | Limited impact or difficult to exploit | Information disclosure, missing security headers |
Confidence levels
Confidence indicates how certain the analysis is that the finding is a real, exploitable vulnerability — not a false positive.
| Level | Meaning |
|---|---|
| High | The vulnerability is directly observable in the code with a clear exploit path |
| Medium | The vulnerability is likely real but depends on one verifiable assumption (e.g., a specific configuration) |
| Low | The vulnerability depends on multiple assumptions that can't be verified from the code alone |
How to prioritize
Focus on findings with high severity + high confidence first — these are confirmed, impactful vulnerabilities.
Findings with high severity but low confidence may still be real but need manual verification. Don't ignore them; review them when time allows.
Low severity findings with high confidence are confirmed minor issues. Address them during routine maintenance.