Severity rubric
Severity ranks the intrinsic impact of a threat being realised without compensating controls. Likelihood is deliberately not weighted — it depends on the consuming environment. The four levels are anchored to CVSS v3.1 qualitative bands so a rating can be sanity-checked against a known industry standard.
When more than one tier could fit, pick the highest that applies.
Critical
Any of:
- Direct, persistent privileged execution on a host or control plane: root, SYSTEM, container host, cluster admin, cloud account or organisation admin, KMS key holder.
- Disclosure of "kingdom keys" — long-lived credentials, tokens, certificates, or secrets that themselves grant the privileged tier above (cluster certificates, etcd snapshots, root API keys, broad service-account keys).
- Wholesale loss of integrity or availability of tenant data: mass deletion, ransom encryption, control-plane wipe, destruction of backups.
CVSS-equivalent: typically C:H/I:H/A:H, often scope-changed; CVSS ≥ 9.0.
High
Any of:
- Initial code execution or full compromise of a single workload, service, or account at non-privileged level, with realistic abuse paths to escalate.
- Theft of credentials, tokens, or session material that grants access to other systems but not directly to the privileged tier above.
- Authentication or authorisation bypass that exposes substantial protected data or functionality.
- Lateral pivot capability that enables — but does not by itself constitute — a privileged compromise.
CVSS-equivalent: typically two of C/I/A at High, scope unchanged; CVSS 7.0–8.9.
Medium
Any of:
- Unauthorised read or modification of protected application data without obtaining execution or credentials.
- Design or configuration weakness that expands the blast radius of other threats but is not by itself directly exploitable for access (excessive permissions, weak segmentation, unpatched non-critical CVEs).
- Tampering with messages, events, or workflows in transit or at processing time, without persistent access.
CVSS-equivalent: one of C/I/A at High, or two at Low; CVSS 4.0–6.9.
Low
Any of:
- Repudiation: ability to deny or obscure an authorised action without altering data integrity (e.g. logging bypass with no further chained effect).
- Low-impact information disclosure: internal hostnames, version banners, fingerprintable error messages.
- Volumetric availability impact only — service is degraded but no confidentiality or integrity loss.
CVSS-equivalent: CVSS 0.1–3.9.
Tie-breakers and anti-patterns
- Credential disclosure tiers on what the credential unlocks. An AWS root key is Critical. A single user's app password is High. A read-only API token to non-sensitive endpoints is Medium.
- Don't escalate by reputation. "Ransomware" sounds scary, but the rating still has to come from the rubric (in its case: wholesale data integrity and availability loss → Critical).
- Severity is per threat class, not per worst-known instance.
unpatched-vulnerabilitiesis rated on the category's typical blast radius, not the worst CVE that ever shipped under that label. - Don't weight likelihood, exploitability, or detection difficulty. Those are environmental — the catalogue ranks impact only.