Severity
A practical severity guide for bounty reports.
CVSS is a useful starting point, but bounty severity should also reflect product context, reachable impact, and the program's published payout table.
Common severity bands
Critical
Remote code execution, full account takeover at scale, unrestricted access to sensitive data, or direct movement of funds without authorization.
High
Privilege escalation, meaningful cross-tenant data access, stored XSS in privileged contexts, or auth bypass with strong real-world impact.
Medium
Limited account boundary issues, reflected XSS with user interaction, missing authorization on low-risk resources, or business logic flaws with bounded impact.
Low
Minor information disclosure, weak headers, rate-limit gaps without clear abuse path, or issues requiring unlikely conditions.
Context changes severity
The same technical bug can pay differently depending on where it lands. A read-only issue on a demo profile may be low. The same class of issue exposing private customer data may be high or critical.
Reports should explain the actual reachable outcome. Avoid severity inflation based only on vulnerability class names.
VibeBounty does not require researchers to calculate a formal CVSS vector, but a concise impact explanation is expected for medium, high, and critical reports.