Vulnerabilities are classified into different ranks or scores. Establishing this ranking is important due to the following reasons-
- The ranking helps to indicate which vulnerability is most likely to be exploited by an attacker
- It will help determine which vulnerability requires more attention (higher priority)
- Instrumental in devising an effective security plan
- Essential for cost-benefit and trade-off analysis and decision-making on mitigation methods
For example, a basic vulnerability ranking system could be V1, V2, V3 –
Vulnerability Rank | Characteristics | Example |
V1 | · Lowest priority
· Unlikely avenues of attack · Lowest risk · Mitigation: Failing safely is sufficient, as not mission critical |
An error in rendering the HTML content correctly on the client’s browser. While this is undesirable, it more of a temporary inconvenience, than a grave security lapse |
V2 | · Intermediate priority
· A possible target of an attack, not probable · Moderate level of risk · Mitigation: Failing safely, along with protecting private and confidential data |
An error is sending out a newsletter to all the members, via email. If the newsletter isn’t rendered correctly it is an inconvenience, but if the email exposes the email ids of all its members (with a failure in the BCC – Blind carbon copy), it will pose a V2 vulnerability. |
V3 | · Highest priority
· Most likely to be exploited by hackers · Highest level of risk · Mitigation: Need to have a mitigation plan and controls, and be completely accounted for |
Free text input accepted through an Internet form. It can potentially cause a confidential database to be breached through an SQL injection. |