Likelihood

The likelihood of occurrence is determined through a systematic evaluation of the potential that a threat actor can successfully exploit a specific vulnerability or a combination thereof.

Impact

The Impact score for a threat signifies the potential extent of harm resulting from the exploitation of a detected vulnerability. This includes unauthorized information disclosure, unauthorized information alteration, unauthorized information destruction, or the loss of both information and information system availability.

The below table shows the impact and likelihood assigned for each of the vulnerabilities category*

• When the endpoint processes Personally Identifiable Information (PII), it amplifies the impact score of the vulnerabilities.

• The presence of multiple vulnerabilities within a single endpoint can elevate the impact, such as when Broken Object Level Authorization (BOLA) and insufficient rate limiting co-occur, leading to the highest impact score. In other cases the maximum score in applied

• Should our system lack sufficient details regarding the endpoint, such as absent documentation and tests not executed on the endpoint, the risk will be indicated as N/A.

Risk Matrix

Each finding's risk level is determined from four possible categories: Critical, High, Medium, or Low risk level. This determination was made by assessing the potential impact magnitude and the likelihood of exposure exploitation, with reference to the provided table.

Open API/Swagger based risk calculation

When risk is assessed using API documentation only, it is determined as follows:

Likelihood:

Likelihood is derived from factors such as the attack surface (e.g., parameter count), authentication methods or their absence and parameter types

The likelihood score is calculated based on the attack surface (e.g. number of parameters), the authentication method or lack there of and the type of the handled parameters

Impact: The impact score is calculated based on the endpoint's sensitivity, such as its handling of PII