> ## Documentation Index
> Fetch the complete documentation index at: https://qodex.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Severity model

> Severity ranks the impact of a finding, not how confident the model is.

# Severity model

Severity describes impact. It does not describe the model's confidence.

A finding can be low severity with high confidence, or critical severity with lower confidence. Severity answers: "How bad would this be if it is real and ships to production?"

## Severity levels

| Severity | Meaning                                                                   | Examples                                                                                                           |
| -------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| Critical | Direct compromise of application, data, or credentials                    | Remote code execution, SQL injection with data access, admin auth bypass, SSRF to cloud metadata, exposed secrets. |
| High     | Severe damage with bounded scope or a clear privilege boundary break      | Stored XSS, IDOR with data exposure, CSRF on account actions, privilege escalation.                                |
| Medium   | Real issue that hurts users but does not fully compromise the system      | Reflected XSS, stack trace exposure, missing rate limit, functional regression.                                    |
| Low      | Hygiene or experience issue that matters mainly as part of a larger chain | Missing headers, verbose errors, weak cookie flags, minor UI bug.                                                  |
| Info     | Useful observation, not a bug by itself                                   | Technology disclosure, attack surface note, deprecated TLS/version inventory.                                      |

## Severity vs confidence

Confidence is the model's belief that the finding is valid. Severity is the impact if it is valid.

Qodex keeps these separate so a finding can be filtered, sorted, and triaged by impact without hiding uncertainty.

## Evidence guard

High and critical findings need stronger evidence. In interactive chat contexts, Qodex refuses to file some high-impact findings when the agent has not confirmed the page or response state after a failed visibility or verification check.

This prevents a stale selector from becoming a false critical issue.

## Security scenarios

Security testing uses inverted semantics: pass means the app blocked the attack, and fail means the app may be vulnerable.

Severity for security findings reflects the impact of the successful attack. A BOLA issue on tenant data is high or critical because the impact is cross-user data exposure, even if the test itself is a simple request.

## Related

<CardGroup cols={2}>
  <Card title="Failure classification" icon="filter" href="/findings-failure-classification">
    Learn what happens before a finding is filed.
  </Card>

  <Card title="Inverted semantics" icon="arrows-up-down" href="/security-testing-inverted-semantics">
    Understand security pass and fail behavior.
  </Card>

  <Card title="Triage workflow" icon="list-checks" href="/findings-triage-workflow">
    Use severity to filter and prioritize findings.
  </Card>

  <Card title="Findings concept" icon="circle-info" href="/concepts-findings">
    Read the shorter overview.
  </Card>
</CardGroup>
