Findings & Reports

Understanding Findings

What severity levels mean, how findings are structured, and how to interpret CWE/CVE references and compliance mappings.

What Is a Finding?

A finding is a confirmed vulnerability or security observation discovered during a scan. Each finding is structured to give you everything you need to understand, prioritize, and fix the issue.

Severity Levels

APVISO assigns a severity to every finding based on exploitability, impact, and context:

  • Critical — immediately exploitable vulnerabilities that could lead to full system compromise, data breach, or remote code execution. Fix these first.
  • High — serious vulnerabilities such as SQL injection, authentication bypass, or privilege escalation that could cause significant damage.
  • Medium — vulnerabilities that require specific conditions to exploit or have limited impact on their own, such as stored XSS or CSRF in non-critical flows.
  • Low — minor issues like information disclosure, missing security headers, or verbose error messages. Lower priority but worth addressing.
  • Informational — observations that are not vulnerabilities but may be useful context, such as technology fingerprints or deprecated TLS versions.

Anatomy of a Finding

Each finding includes:

  • Title — a concise description of the vulnerability.
  • Severity — Critical, High, Medium, Low, or Informational.
  • Description — what the vulnerability is, how it works, and why it matters.
  • Evidence — HTTP request/response pairs, screenshots, or proof-of-concept payloads that demonstrate the vulnerability.
  • Reproduction steps — step-by-step instructions to reproduce the issue manually.
  • Remediation — specific, actionable guidance on how to fix the vulnerability.
  • CWE reference — the Common Weakness Enumeration identifier (e.g., CWE-89 for SQL Injection).
  • CVE reference — if the finding relates to a known CVE in a specific software version.
  • Compliance mappings — which compliance framework controls the finding relates to (OWASP Top 10, PCI-DSS, etc.).

Using Findings Effectively

  • Start with Critical and High findings — they represent the greatest risk.
  • Group related findings (e.g., multiple XSS instances) and fix the root cause rather than individual symptoms.
  • Use CWE references to research the vulnerability class and understand broader implications.
  • Share findings with developers using the built-in export or integration features.
Back to Knowledge Base