Risk rating methodology and Risk level on Zap Alert Details Explaination

264 views
Skip to first unread message

Thegrax Dn

unread,
Dec 15, 2022, 11:16:39 PM12/15/22
to OWASP ZAP User Group
hello is there an explanation about how the risk in zap alert level 
like why is it high, medium, low, or informational?
 and also is it related to the owasp risk rating methodology. 
if it is then why did there's an informational risk in the zap alert meanwhile the risk rating only has 3 which is high medium and low .

kingthorin+owaspzap

unread,
Dec 16, 2022, 8:55:57 AM12/16/22
to OWASP ZAP User Group
Risk (actually more like Severity) is assigned by whoever creates the scan rule/alert. It is not tied to RRM.

Simon Bennetts

unread,
Dec 17, 2022, 4:31:49 AM12/17/22
to OWASP ZAP User Group
Its also something we review when the rule is added, so you could say the risk level is a rough concensus of the ZAP Core Team ;)
Feel free to argue that any of the existing ones should be changed...

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages