> For the complete documentation index, see [llms.txt](https://dualguard.gitbook.io/dualguard/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dualguard.gitbook.io/dualguard/security-reviews/findings/how-to-assess-the-severity-of-a-finding.md).

# How to Assess the Severity of a Finding

DualGuard categorises vulnerability findings into three severity levels to help stakeholders prioritize remediation efforts. Guards who identify higher-severity vulnerabilities improve their contest rankings and usually earn higher payouts.

### Severity Levels

Findings on DualGuard may fall under one of these severities:

* High
* Medium
* Low

### Evaluation Framework

Severity classification depends on three factors:

1. Impact on the protocol — potential damage if exploited
2. Likelihood of exploitation — probability of the issue being triggered
3. Judge/protocol subjectivity — can override rules through use of common sense

#### Impact vs. Likelihood Matrix

| Likelihood / Impact | High   | Medium | Low    |
| ------------------- | ------ | ------ | ------ |
| High                | High   | High   | Medium |
| Medium              | High   | Medium | Low    |
| Low                 | Medium | Low    | Low    |

### Impact Definitions

* High: Funds are directly or nearly directly at risk or severe protocol disruption occurs
* Medium: Indirect fund risk or moderate functionality disruption
* Low: Funds are not at risk but functions may be incorrect or state handling inadequate

### Likelihood Definitions

High: Easily exploitable

Medium: Requires specific conditions

Low: Unlikely scenarios

{% hint style="warning" %}
Claims of "computationally infeasible" attacks require proof of feasibility.
{% endhint %}

### Severity Implications

High: Must Fix

Medium: Should Fix

Low: Could Fix

{% hint style="warning" %}
DualGuard rejects "Gas, QA, or Informational" severity submissions.

Judges should consider them as "Invalid".

Guards should focus on vulnerabilities directly impacting protocols, not optimisation insights.
{% endhint %}

{% hint style="warning" %}
Low severity issues will never affect the leaderboard ranking. That being said, guards can get rewarded for Low severity issues when the protocol team decides to enable the pot. When judges are reviewing submissions and decide to judge the validity status, impact and likelihood of a finding they think is of low severity. They should treat it as such whether the pot for low severity issues is enabled or not.
{% endhint %}
