Skip to main content

Severity Model

1. Purpose

This model keeps PCL severity language consistent across advisories, reports, and coordination notes. It prevents common failure modes: CVSS-only thinking, hype-driven severity, under-described prerequisites, and conflating technical severity with operational priority.

2. Severity vs Priority

Severity describes the intrinsic and contextual security consequence of a vulnerability.

Priority describes how urgently a defender should act in a specific environment.

A medium-severity vulnerability may be high priority when it is actively exploited, internet-facing, easy to chain, or present on a critical asset. A critical vulnerability may be lower immediate priority when it affects an isolated lab-only component with compensating controls.

3. Required Fields

A PCL severity assessment should include:

  • severity label;
  • confidence level;
  • affected security properties;
  • attacker position;
  • required privileges;
  • user interaction;
  • attack complexity;
  • affected scope;
  • evidence basis;
  • exploit maturity;
  • known exploitation status;
  • remediation status;
  • limitations.

4. Labels

Informational

Security-relevant observation without direct exploitable impact in the assessed context.

Examples:

  • minor header omission without practical impact;
  • version disclosure with no known affected vulnerability;
  • best-practice deviation without demonstrated consequence.

Low

Limited impact, significant prerequisites, narrow exposure, or strong compensating controls.

Examples:

  • low-sensitivity information exposure;
  • self-contained user-context behavior;
  • local-only issue requiring unusual conditions.

Medium

Meaningful security impact with realistic prerequisites, limited scope, or partial mitigation.

Examples:

  • authenticated data exposure within a bounded class;
  • moderate authorization flaw;
  • denial-of-service in a non-critical component;
  • misconfiguration enabling targeted abuse under specific conditions.

High

Material confidentiality, integrity, or availability impact with practical exploitation conditions.

Examples:

  • cross-tenant data exposure;
  • privilege escalation within a production service;
  • unauthenticated access to sensitive functionality;
  • reliable service compromise with meaningful prerequisites.

Critical

Severe impact with broad exposure, low attacker requirements, systemic reach, or safety/critical-service consequences.

Examples:

  • unauthenticated remote code execution on internet-facing systems;
  • mass credential compromise;
  • wormable or highly automatable compromise path;
  • control-plane compromise affecting many tenants;
  • safety-impacting system manipulation.

5. Confidence Levels

Confirmed

Validated by vendor, patch, deterministic authorized reproduction, or multiple independent high-quality evidence sources.

Probable

Strong evidence supports the finding, but some affected-version, exploitability, or environmental detail remains unconfirmed.

Limited

The issue is plausible but evidence is incomplete, indirect, or environment-specific.

Unverified

The claim is not mature enough for publication except as an explicitly labeled intake or research note.

6. Scoring Inputs

PCL may use external scoring systems as inputs:

  • CVSS v4.0 or v3.1 for structured technical characteristics;
  • EPSS for exploitation probability signal;
  • CISA KEV for known in-the-wild exploitation;
  • vendor severity for product-owner context;
  • CNA or ADP records for CVE metadata;
  • asset exposure and criticality for defender priority.

When using CVSS, include the vector when possible. Do not publish a naked number without rationale.

7. Priority Modifiers

Increase operational priority when:

  • active exploitation is known;
  • the issue appears in CISA KEV;
  • a public exploit exists;
  • exploitation is automatable;
  • the affected service is internet-facing;
  • the affected asset handles sensitive data;
  • the product is widely deployed;
  • remediation is simple and low-risk;
  • exploit chaining is likely;
  • the issue affects identity, update, CI/CD, logging, backup, or management planes.

Decrease immediate priority when:

  • exploitation requires extensive local prerequisites;
  • the affected component is not deployed;
  • strong compensating controls are verified;
  • remediation introduces higher safety risk;
  • exposure is limited to a controlled lab environment.

8. Publication Language

A public severity statement should be short and supported.

Preferred form:

Severity: High. The issue allows an authenticated low-privilege user to access another tenant’s metadata under default configuration. Impact is limited to metadata fields; no credential exposure was observed. Confidence: probable pending vendor version confirmation.

Avoid unsupported labels, adversarial framing, or broad claims not proven by evidence.

9. Unknowns

Unknowns must be explicit. A good severity section can say:

  • affected versions are not fully confirmed;
  • exploitability outside a test tenant was not assessed;
  • active exploitation is not known;
  • remediation status is pending vendor confirmation;
  • public exploit availability was not evaluated beyond listed references.