Skip to content

Severity Levels

Mayo ASPM uses five severity levels to classify security findings. Each level indicates the potential impact and urgency of the issue.

Severity definitions

Critical

Attribute Value
Color Red
Score range CVSS 9.0-10.0
Recommended SLA 24 hours

What it means: An actively exploitable vulnerability that could lead to full system compromise, data breach, or remote code execution without user interaction.

Examples:

  • Remote code execution in a production dependency (e.g., Log4Shell)
  • SQL injection in an authentication endpoint
  • Hardcoded production database credentials in a public repository
  • Known-exploited CVE (in CISA KEV) in a deployed service

Danger

Critical findings should be treated as potential incidents. Investigate immediately and remediate within 24 hours.

High

Attribute Value
Color Orange
Score range CVSS 7.0-8.9
Recommended SLA 7 days

What it means: A serious vulnerability that could be exploited under certain conditions to compromise data or system integrity.

Examples:

  • Cross-site scripting (XSS) in a user-facing application
  • Server-side request forgery (SSRF) in an API endpoint
  • Known CVE with a public exploit in a direct dependency
  • Exposed API key with write permissions

Medium

Attribute Value
Color Yellow
Score range CVSS 4.0-6.9
Recommended SLA 30 days

What it means: A vulnerability that could be exploited but requires specific conditions, user interaction, or insider access.

Examples:

  • Reflected XSS requiring user interaction
  • Vulnerable transitive dependency (not directly imported)
  • Weak cryptographic algorithm in use
  • Information disclosure through error messages

Low

Attribute Value
Color Blue
Score range CVSS 0.1-3.9
Recommended SLA 90 days

What it means: A minor issue with limited security impact. May indicate a defense-in-depth weakness or code quality concern.

Examples:

  • Deprecated function usage with a known replacement
  • Missing security header (non-critical)
  • Low-severity CVE in a dev-only dependency
  • Verbose logging that could aid attackers

Info

Attribute Value
Color Gray
Score range N/A
Recommended SLA None (informational)

What it means: A finding with no direct security impact. Provided for awareness or compliance purposes.

Examples:

  • Best-practice suggestion (e.g., "use strict mode")
  • License compliance notice
  • Outdated but non-vulnerable dependency
  • Code quality observation from a security scanner

Severity mapping from scanners

Each scanner produces its own severity ratings. Mayo ASPM normalizes them:

Scanner Scanner severity Mayo ASPM severity
Grype Critical / High / Medium / Low / Negligible Critical / High / Medium / Low / Info
Trivy Critical / High / Medium / Low / Unknown Critical / High / Medium / Low / Info
Semgrep ERROR / WARNING / INFO High / Medium / Info
Gitleaks (all findings) High (by default, configurable)

Severity override

You can override the mapped severity in triage or priority policies. For example, elevate all Gitleaks findings to Critical for specific file patterns.

SLA recommendations by tier

Severity Startup / SMB Mid-market Enterprise
Critical 72 hours 24 hours 4 hours
High 14 days 7 days 3 days
Medium 60 days 30 days 14 days
Low 90 days 90 days 60 days
Info No SLA No SLA No SLA

Using severity in policies

Triage by severity

decision := "accept" if { input.finding.severity in ["critical", "high"] }
decision := "reject" if { input.finding.severity == "info" }

Priority scoring by severity

priority := 100 if input.finding.severity == "critical"
priority := 75 if input.finding.severity == "high"
priority := 50 if input.finding.severity == "medium"
priority := 25 if input.finding.severity == "low"
default priority := 0

PR gate by severity

result := "fail" if { input.scan_results.by_severity.critical > 0 }
default result := "pass"

Next steps