This update aligns our platform with industry standards like the Common Vulnerability Scoring System (CVSS). It will help you better prioritize your remediation efforts and ensure that the most urgent threats get immediate attention.
This guide explains what this change means, the roll-out schedule, and the important actions you need to take to ensure your integrations continue to work smoothly.
What is a Critical Severity Finding?
The new Critical severity level is reserved for the most serious vulnerabilities that require immediate fixing.
A finding will automatically be assigned Critical severity if it has a CVSS score of 9.0 or higher.
This change will be reflected across the entire application wherever findings are listed. This will also introduce a new Critical risk level, which will be applied to any target with at least one Critical severity finding, helping you quickly identify your most at-risk assets. To accommodate this, all severity and risk filters in the product are also being updated to include the Critical level.
Roll-out Schedule
We are rolling out this change in two phases to give you time to prepare.
Phase 1 (Beginning September 2, 2025): The Critical severity level will be visible in the Snyk API & Web UI, including in filters, lists, and configuration settings. During this phase, Snyk API & Web will not yet assign this severity to any findings. This is the ideal time to review your settings and integrations.
Phase 2 (Beginning September 16, 2025): Snyk API & Web will begin assigning the Critical severity to all findings that meet the criteria (CVSS score ≥ 9.0).
Action Required: Updating Your Integrations
To ensure you don't miss any Critical findings after the roll-out, you must review and potentially update your integrations. Failure to do so may result in Critical findings being missed in your external systems.
Jira (Cloud & Server) and Shortcut Integrations
To prevent your integration from breaking and avoid missing important findings, Snyk API & Web will automatically map the new Critical severity to the same status that your High severity findings currently map to.
Action: After September 2, 2025, we strongly recommend you review your Jira (Cloud & Server) and Shortcut integration settings. You can then adjust the mapping for Critical findings to a different status if needed.
Slack Integration
If your Slack integration is currently configured to send notifications for High severity findings, it will be automatically updated to also send notifications for Critical findings. You do not need to take any action, but you can review your settings if you wish to change this.
API Integrations
Important: If you have built custom integrations using the Snyk API & Web API, they may need to be updated to correctly process the new Critical severity level.
Action: You may need to refactor your code to support the Critical severity level to ensure your integration continues to function as expected.
SDK and CLI Integrations
Important: Versions of the Snyk API & Web CLI and SDK that are 0.0.1a7 or older are not compatible with the Critical severity level. These older versions might crash or fail if a Critical finding is reported.
Action: You must update the Snyk API & Web CLI and any applications using the SDK to a version newer than 0.0.1a7.
How This Affects Existing Findings
The severity of your existing findings will not change.
However, if a finding that was previously marked High is detected again in a new scan on or after September 16, 2025, and it meets the criteria (CVSS score ≥ 9.0), its severity will be updated to Critical.
We are excited to bring this improvement to our platform to help you focus on what matters most. If you have any questions, please contact our support team.