Severity VS Priority
The severity of a vulnerability is associated with system standards and the technical perspective of the system workflow. Severity examines whether the impact is severe or not. The severity level is less likely to change, while priority might differ.
Priority indicates how quickly a vulnerability should be fixed and eradicated from an application. It shows a sense of urgency for dealing with a vulnerability in your system, with priority one being the highest and five being the lowest.
Examples
High Severity & High Priority (e.g. S1P1)
A vulnerability that occurs in the basic functionality of the application, if it’s not fixed soon, will impact the business goal immediately. For example,
- remote code execution (RCE)
- SQL injection
- Command Injections
- or financial theft, direct financial loss
A P1S1 vulnerability means your website is at risk of being hacked anytime. We recommend that you make it your highest priority to fix these vulnerabilities immediately.
Mid Severity & Mid Priority (e.g. S3P3)
A vulnerability that occurs on the application’s functionality that can be exploited by malicious attackers to access sensitive information on the application or server. The impact of S3P3 is relatively limited. For example:
- It requires more skill to exploit a S3P3 vulnerability and might require some special conditions, such as inexistence of SSL/TLS certificate issues, or need to be in certain location (within target’s proximity location, etc)
- Server misconfiguration
Low Severity & Low Priority (S5P5)
Any vulnerabilities that are acceptable business risks to the organization/company. For example:
- information leakage (the version number of database, username of admin DB, where attackers could brute force the credentials, etc)
- configuration errors
- lack of some security measures
Things that can be used in conjunction with social engineering to cause a more severe impact on the target.