Some questions were raised on our practice of penetration testing:
a) what are the various basis the ratings of Critical, High, Med, Low
are being assigned? External-facing servers' XSS will get High
while internal servers (not exposed to public/Internet) XSS will
get Med? There's also various types of XSS that warrants
different types of ratings?
Curious how the various tools assign these ratings or in some
cases, it's the human pentester who assigns it?
b) Is there any framework, eg: NIST, CREST or ... that specifies
the duration to resolve?