Clarification on how ZAP determines the risk level of alerts (Likelihood × Impact vs. static assignment?)

[Anonymous 1212]

Dear ZAP team,

I am currently writing a scientific paper on automated vulnerability management and specifically analyzing how OWASP ZAP assigns risk levels to alerts.

The official OWASP Risk Rating Methodology (https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) describes a standardized matrix combining Likelihood and Impact, which serves as a recommended model for categorizing findings.

On the ZAP documentation page (https://www.zaproxy.org/docs/alerts/), I see the severity levels Informational, Low, Medium, and High listed for each rule. However, it remains unclear whether these values are dynamically calculated based on the OWASP matrix – or whether the matrix serves only as background guidance and the risk levels are in fact statically assigned.

To clarify, could you please confirm the following:

1. Does ZAP internally apply the OWASP Risk Rating Methodology (Likelihood × Impact) to determine alert severity?

2. Or are the risk levels statically defined by the author of each scan rule (e.g. via Alert.RISK_MEDIUM), based on heuristics or expert judgment?

3. Is there any internal process or criteria that the ZAP Core Team uses when reviewing and validating those predefined risk levels?

This information would help ensure transparency and correctness in how I interpret and cite ZAP’s risk scoring in my academic work.

Thank you very much for your time and dedication to the ZAP project!

Best regards!

[kingthorin+zap]

0) ZAP hasn't been an OWASP project for almost two years.

1) ZAP does not use the OWASP RRM (which is broken). Because ZAP cannot realistically "know" the likelihood or impact of a particular vulnerability.

2) The Risk (really severity) of each Alert is decided by the rule author (and two core team members who do review).

3) Nothing formal. However, if the community feel something is mis-rated we are happy to discuss/debate.