Severity model
Severity describes impact. It does not describe the model’s confidence. A finding can be low severity with high confidence, or critical severity with lower confidence. Severity answers: “How bad would this be if it is real and ships to production?”Severity levels
| Severity | Meaning | Examples |
|---|---|---|
| Critical | Direct compromise of application, data, or credentials | Remote code execution, SQL injection with data access, admin auth bypass, SSRF to cloud metadata, exposed secrets. |
| High | Severe damage with bounded scope or a clear privilege boundary break | Stored XSS, IDOR with data exposure, CSRF on account actions, privilege escalation. |
| Medium | Real issue that hurts users but does not fully compromise the system | Reflected XSS, stack trace exposure, missing rate limit, functional regression. |
| Low | Hygiene or experience issue that matters mainly as part of a larger chain | Missing headers, verbose errors, weak cookie flags, minor UI bug. |
| Info | Useful observation, not a bug by itself | Technology disclosure, attack surface note, deprecated TLS/version inventory. |
Severity vs confidence
Confidence is the model’s belief that the finding is valid. Severity is the impact if it is valid. Qodex keeps these separate so a finding can be filtered, sorted, and triaged by impact without hiding uncertainty.Evidence guard
High and critical findings need stronger evidence. In interactive chat contexts, Qodex refuses to file some high-impact findings when the agent has not confirmed the page or response state after a failed visibility or verification check. This prevents a stale selector from becoming a false critical issue.Security scenarios
Security testing uses inverted semantics: pass means the app blocked the attack, and fail means the app may be vulnerable. Severity for security findings reflects the impact of the successful attack. A BOLA issue on tenant data is high or critical because the impact is cross-user data exposure, even if the test itself is a simple request.Related
Failure classification
Learn what happens before a finding is filed.
Inverted semantics
Understand security pass and fail behavior.
Triage workflow
Use severity to filter and prioritize findings.
Findings concept
Read the shorter overview.