Severity levels

Use severity levels to help you with vulnerability assessment for your applications. Severity levels indicate the assessed level of risk, as Critical, High, Medium, or Low. Snyk reports the number of vulnerabilities at each level of severity in many places in the Snyk application. The display varies; a typical example follows.

The severity levels are defined in the following table.

Severity levels and Priority Score

Severity levels are one factor used in determining the Snyk Priority Score for each vulnerability. Other factors include Snyk Exploit Maturity and Reachable Vulnerabilities information.

See Snyk Priority Score for details.

How to view severity levels

Severity levels are displayed throughout Snyk, to keep this information visible at all times.

For example, the severity levels appear in the Pending tasks section of the Dashboard:

Severity levels are displayed in association with your Snyk Projects:

The number of issues at each severity level is also displayed in the left sidebar of an issue card:

How Snyk determines severity levels

Severity levels and CVSS

The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.

Snyk supports the CVSS framework version 4.0, along with the previous version, CVSS framework version 3.1, to designate the characteristics and severity of vulnerabilities.

Vulnerabilities published prior to the support of CVSS v4.0, are based on the 3.1 version of CVSS to define severities.

The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.

See Scoring security vulnerabilities 101: Introducing CVSS for CVEs.

Why are there multiple CVSS Scores for the same vulnerability?

There are multiple CVSS Scores for the same vulnerability for several reasons:

• ​When evaluating the severity of a vulnerability, it is important to note that there is no single CVSS vector. There are multiple CVSS vectors defined by multiple vendors; the National Vulnerability Database (NVD) is one.

• The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through third-party disclosures. For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory was published on March 30, 2022, with the CVSS vector analysis. This was before an official CVE was assigned and before NVD conducted its analysis, which was published nine days later on April 8, 2022.

• Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will involve discrepancies and judgments made about them that make sense for the application and use cases of open source software users.

• The severity of a vulnerability is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data, from vendors to reporters to attackers.

• There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the description and references of the advisory.

Severity levels and CCSS

The Common Configuration Scoring System (CCSS), developed by the National Institute of Standards and Technology (NIST) and derived from CVSS, measures the severity of software security configuration issues.

Snyk uses the CCSS to designate the characteristics and severity of IaC+ vulnerabilities and misconfigurations.

The severity level and score are determined based on the CCSS Base Score calculations using the Base Metrics.