Vulnerabilities are classified into different ranks or scores. Establishing this ranking is important due to the following reasons-
- The ranking helps to indicate which vulnerability is most likely to be exploited by an attacker
- It will help determine which vulnerability requires more attention (higher priority)
- Instrumental in devising an effective security plan
- Essential for cost-benefit and trade-off analysis and decision-making on mitigation methods
For example, a basic vulnerability ranking system could be V1, V2, V3 –
|V1||· Lowest priority
· Unlikely avenues of attack
· Lowest risk
· Mitigation: Failing safely is sufficient, as not mission critical
|An error in rendering the HTML content correctly on the client’s browser.
While this is undesirable, it more of a temporary inconvenience, than a grave security lapse
|V2||· Intermediate priority
· A possible target of an attack, not probable
· Moderate level of risk
· Mitigation: Failing safely, along with protecting private and confidential data
|An error is sending out a newsletter to all the members, via email.
If the newsletter isn’t rendered correctly it is an inconvenience, but if the email exposes the email ids of all its members (with a failure in the BCC – Blind carbon copy), it will pose a V2 vulnerability.
|V3||· Highest priority
· Most likely to be exploited by hackers
· Highest level of risk
· Mitigation: Need to have a mitigation plan and controls, and be completely accounted for
|Free text input accepted through an Internet form. It can potentially cause a confidential database to be breached through an SQL injection.|