Reporting & Professional Practice · intermediate · ~11 min

Writing findings: severity, CVSS, and impact

Write a clear finding and rate it by impact and likelihood (CVSS).

Overview

A finding needs a specific impact-oriented title, a context-aware severity, a why-it-matters description, affected assets, reproduction + evidence, and remediation + references. Severity = impact × likelihood, adjusted for business context; CVSS aids consistency but is an input, not the final word.

Why it matters

Severity drives what the client fixes first, so rating credibly (impact × likelihood, business-adjusted) and writing clear, specific findings is the core of report quality. Inflation or vagueness erodes trust and misdirects effort.

Core concepts

Finding anatomy. Title, severity, impact-focused description, assets, repro+evidence, remediation+refs. Severity. Impact × likelihood, context-dependent. CVSS. Standardized 0–10 input; adjust for business context. Pitfalls. Vague titles, severity inflation/deflation, missing context.

Lesson

Each finding is a self-contained unit the client can triage and fix. Quality here defines the report.

Anatomy of a finding

  • Title — specific and impact-oriented: "Unauthenticated access to customer records via IDOR" beats "IDOR".
  • Severity — see below.
  • Description — what the issue is and why it matters here (the business/technical impact, not a textbook definition).
  • Affected assets — exact endpoints/hosts/parameters.
  • Reproduction steps + evidence (next lesson).
  • Remediation + references (next lesson).

Severity = impact × likelihood

Rate by how bad if exploited (impact) and how easy/likely (likelihood). A trivial-to-exploit data exposure is Critical; a hard-to-reach low-impact issue is Low. Context matters: the same bug is more severe on a payment system than a marketing blog.

CVSS

The Common Vulnerability Scoring System gives a 0–10 score from standardized metrics (attack vector, complexity, privileges required, user interaction, impact to confidentiality/integrity/availability). It aids consistency and comparability — but CVSS is an input, not the final word: always adjust for business context the base score can't know (a "medium" on a crown-jewel system may be your top priority). State your severity rationale.

Common mistakes

Vague titles, severity inflation (everything Critical erodes trust) or deflation, missing business context, and duplicate findings that should be merged.

Summary

Each finding is a self-contained, impact-titled, severity-rated unit with context, evidence, and a fix. Severity is impact × likelihood adjusted for business context; CVSS standardizes scoring but never replaces judgment.