Asset Criticality Score

The Asset Criticality Score provides a standardized way to measure the business importance of an asset within your Bugcrowd organization. It helps you prioritize assets for security testing, monitoring, and remediation.

Criticality Scores are calculated automatically using a 0-40 scale, based on four key asset attributes: Business Criticality, Environment, Sensitivity, and Exposure Status.

How the Criticality Score Works

Each of the four attributes contributes a weighted score. The sum of these values produces the final Asset Criticality Score:

Maximum possible score = 40

Field Score Breakdown

Field Value Score (0-10)
Business Criticality Critical 10
  High 5
  Moderate 2
Environment Production 10
  Staging 5
  Development / QA 2
Sensitivity Regulated (PII, PCI, HIPAA) 10
  Confidential 7
  Internal 4
  Public 1
Exposure Status Internet-facing 10
  Partner-exposed 6
  Internal-only 2

Criticality Score Scale

Score Range Risk Level
0-10 Low
11-20 Moderate
21-30 High
31-40 Critical

Example

For an asset with the following values:

  • Business Criticality = High (5)
  • Environment = Production (10)
  • Sensitivity = Confidential (7)
  • Exposure Status = Internet-facing (10)

Score = 5 + 10 + 7 + 10 = 32 (Critical)

Viewing Criticality Scores

  • Navigate to any asset view page.
  • The Security Posture column displays each asset’s Criticality Score, level (Low-Critical), and visual indicator.
  • Use sorting and filtering options to quickly find assets by score range.

Asset Criticality Score

Updating Criticality Score Inputs

The Criticality Score automatically updates when you edit an asset’s Business Criticality, Environment, Sensitivity, or Exposure Status.

Steps:

  • From any asset view page, locate the asset you want to update.
  • Click the ellipsis menu (…) on the right side of the row.
  • Select Edit (this opens the Edit Asset panel).
  • Under Security Posture, update any of the following fields:
    • Business Criticality (Critical, High, Moderate)
    • Exposure Status (Internet-facing, Partner-exposed, Internal-only)
    • Environment (Production, Staging, Development, Test)
    • Sensitivity (Public, Internal, Confidential, Regulated)
  • Save your changes.
  • The Criticality Score will recalculate immediately based on the new values.

Security Posture Fields

Security Posture fields