Vulnerability levels are categorized into high, medium, and low risk based on the degree of harm of the vulnerability. The corresponding contribution value and vulnerability level are given by the Prophet Platform in combination with the severity of the vulnerability in the exploitation scenario, the difficulty of exploitation and other comprehensive factors.
The scoring criteria for vulnerability levels and the types of vulnerabilities are as follows:
High Risk
With a base score of 60-100, high-risk grade vulnerabilities include:
Vulnerabilities that directly obtain system privileges (server privileges, PC client privileges), including but not limited to remote command execution, arbitrary code execution, uploading to obtain Webshell, SQL injection to obtain system privileges, buffer overflow (including exploitable ActiveX buffer overflow) and other vulnerabilities.
Vulnerabilities that directly lead to denial of service of important services, including but not limited to remote denial of service vulnerabilities that directly lead to denial of service of mobile gateway services or API services, denial of service of website applications, and other vulnerabilities that cause serious impact.
Important sensitive information leakage, including but not limited to important business database SQL injection vulnerabilities, access to a large number of enterprise core business data and other interface issues caused by sensitive information leakage.
Serious logical design flaws and process flaws, including but not limited to batch modification of arbitrary account password vulnerabilities, logical vulnerabilities involving the core business of the enterprise.
Sensitive information overstepping the right to access, including but not limited to bypassing the authentication to directly access the management background, important background weak passwords, access to a large number of intranet sensitive information server-side request forgery (SSRF) vulnerabilities.
Important business overstepping sensitive operations, including but not limited to account overstepping the right to modify important information, important business configuration changes and other important overstepping behavior.
Other vulnerabilities that affect users on a wide scale, including but not limited to stored cross-site scripting attack vulnerabilities (including stored DOM-XSS) that can cause automatic propagation of important pages.
Medium Risk
With a base score of 30-50, medium-risk rated vulnerabilities include:
Vulnerabilities that require interaction to affect users, including but not limited to stored cross-site scripting attack vulnerabilities on general pages, cross-site request forgery (CSRF) vulnerabilities involving core business, etc.
Ordinary overstepping operations, including but not limited to bypassing restrictions on modifying user information, performing user operations, and so on.
Ordinary logical design flaws and process flaws, including but not limited to unlimited number of SMS sending, arbitrary cell phone email information registration, etc.
Low Risk
With a base score of 10-20, low-risk level vulnerabilities include:
Local denial of service vulnerabilities, including but not limited to client-side local denial of service (crashes generated by parsing file formats, network protocols), as well as problems caused by the exposure of Android component permissions, common application permissions, etc.
Common information leakage, including but not limited to client-side passwords stored in clear text, as well as web path traversal, system path traversal vulnerabilities.
Other less harmful vulnerabilities, including but not limited to reflective cross-site scripting attack vulnerabilities (including reflective DOM-XSS), common cross-site request forgery (CSRF), URL jumping vulnerabilities and so on.
Response Processing Time
1) Within three business days, Security Emergency Response Center staff will acknowledge receipt of a vulnerability report and follow up to begin assessing the issue.
2) Serious vulnerabilities (e.g., RCE) are followed up within 24 hours to address the issue and provide preliminary conclusions and scores.
3) High risk vulnerabilities will be followed up within 3 working days to address the issue and provide an initial conclusion and score.
4) The rest of the vulnerabilities will be followed up within 7 working days to deal with the issues and complete the scoring. If the reporter thinks it is an emergency situation, he/she can send an email to support@lvwit.com, and it will be expedited after the reviewer confirms it.