Findings are typically published with a Criticality and Risk assessment. This assessment is made by the Pentester, normally in line with your organization and its security profile.
Severity – Severity is normally set based on urgency, which is impacted by severity of a breach and likelihood of a breach
Impact – Impact defines the Severity of a breach if it were to happen
Likelihood – Sets the likelihood of a breach occurring
CVSS – CVSS score is a more complex method of assessing impact and likelihood of a breach related to a Finding. A higher score should result in a higher priority remediation. Click here to learn more