Class Severity (0.4.0)

    A critical threat is a threat that can access,
    modify, or delete data or execute unauthorized
    code within existing resources.
HIGH (2):
    A high-risk vulnerability can be easily
    discovered and exploited in combination with
    other vulnerabilities to gain direct access and
    the ability to execute arbitrary code,
    exfiltrate data, and otherwise gain additional
    access and privileges to cloud resources and
    workloads. An example is a database with weak or
    no passwords that is only accessible internally.
    This database could easily be compromised by an
    actor that had access to the internal network.

    A high-risk threat is a threat that can create
    new computational resources in an environment
    but can't access data or execute code in
    existing resources.
MEDIUM (3):
    A medium-risk vulnerability can be used by an
    actor to gain access to resources or privileges
    that enable them to eventually (through multiple
    steps or a complex exploit) gain access and the
    ability to execute arbitrary code or exfiltrate
    data. An example is a service account with
    access to more projects than it should have. If
    an actor gains access to the service account,
    they could potentially use that access to
    manipulate a project the service account was not
    intended to.

    A medium-risk threat can cause operational
    impact but might not access data or execute
    unauthorized code.
LOW (4):
    A low-risk vulnerability hampers a security
    organization's ability to detect vulnerabilities
    or active threats in their deployment, or
    prevents the root cause investigation of
    security issues. An example is monitoring and
    logs being disabled for resource configurations
    and access.

    A low-risk threat is a threat that has obtained
    minimal access to an environment but can't
    access data, execute code, or create resources.