Bubba AI, Inc. 2261 Market Street, San Francisco, California, 94114 Risk Rating We assess each identified vulnerability using the Common Vulnerability Scoring System (CVSS), which evaluates the technical severity based on factors such as attack vector, attack complexity, required privileges, user interaction, scope, and impacts on confidentiality, integrity, and availability. The resulting CVSS score provides an initial measure of the potential technical risk associated with the vulnerability. Risk Rating Definitions: Based on the CVSS base score, we assign a qualitative risk rating to each finding: Critical : Vulnerabilities posing an extremely high threat to organizational data. These should be remediated immediately, as exploitation is often publicly accessible and may result in significant data loss or full server compromise. High : Vulnerabilities with a potentially severe impact on operations, assets, or individuals. Exploitation can lead to data breaches, escalated application access, or local shell access. Medium : Vulnerabilities that may have serious consequences when combined with other issues. They typically do not cause immediate system compromise but can serve as entry points in an attack chain. Low : Security issues that do not directly impact system functionality but could facilitate additional attacks or reveal useful information to attackers. Informational : Findings that do not constitute exploitable vulnerabilities but highlight missing best practices or default information exposure.