--- title: "Vulnerability Types" slug: "vulnerability-types" description: "Discover how Traceable enhances API security by detecting and managing various vulnerabilities. Learn about pre-defined and custom vulnerability types, how to configure them, and use them for real-time API security testing. Customize your security checks with Traceable’s powerful vulnerability management tools." updated: 2025-07-09T05:56:23Z published: 2025-07-09T05:56:23Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Vulnerability Types Vulnerability Types are the security weaknesses in your application that Traceable can detect during API security testing. Traceable checks for these weaknesses, as they may be potential threats, such as a JWT anomaly or local file inclusion. Traceable allows you to configure and manage vulnerability types according to your requirements. ![Vulnerability Types](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ast_policies_vulnerability_types.png) Vulnerability Types The vulnerability types are divided into two categories: - **Traceable** — This category lists the out-of-the-box vulnerability types Traceable provides. These vulnerability types help you identify some of the most common threats. While default values are assigned to each attribute in a vulnerability type, you can edit some of these attributes according to your requirements. For more information, see [Traceable vulnerability type](/v1/docs/vulnerability-types#traceable-vulnerability-type). - **Custom** — This category lists the vulnerability types you create by defining logic, such as severity and tags, according to your requirements. For more information, see [Custom vulnerability type](/v1/docs/vulnerability-types#custom-vulnerability-type). While creating a [policy](/docs/ast-policies), you can select the vulnerability type you want Traceable to check for in your APIs. Based on your selection, Traceable checks for vulnerabilities as part of scans. > [!NOTE] > Note > > Custom vulnerability types should be linked to a custom plugin for it to be visible while creating a policy. --- ## Traceable Vulnerability Type Traceable, by default, provides you with some vulnerability types on the **Vulnerability Types** page. On this page, under the **Traceable** tab, you can view the following: - **Vulnerability Type** — The type of vulnerability Traceable can detect. - **Plugin Sources** — The test plugin that detects the vulnerability type. For more information, see [Plugins](/docs/test-custom-plugin). - **Severity** — The severity assigned to the vulnerability type. You can also edit some attributes in these pre-defined vulnerabilities to fine-tune them according to your requirements. To edit a pre-defined vulnerability type, complete the following steps: ![Editing Traceable Vulnerability Type](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ast_policies_vulnerability_type_edit_existing.png) Editing Traceable Vulnerability Type 1. Click the **Ellipse** (![traceable_ellipse_icon](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ellipse_icon.png)) icon corresponding to the vulnerability type you want to edit. 2. Click **Edit**. 3. In the **Edit Vulnerability Type** screen, do the following according to your requirements: - Update the **Severity**, for example, *Critical*. - Update the **Description**, **Mitigation**, **Impact**, and **References** tabs. - Update the**CVSS score**, for example, *9.8*. - Update the **CVSS string**, for example, *CVSS**:**3.1**/**AV**:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H*. - Update the **Estimated Fix Time (hours)**, for example, *18*. - Update the **Estimated Bounty Value**, for example, *2000*. 4. Click **Save**. You can reset the vulnerability type to its original state by clicking the **Ellipse** (![traceable_ellipse_icon](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ellipse_icon.png)) icon → **Reset**. --- ## Custom Vulnerability Type You can create custom vulnerability types by specifying various attributes according to your requirements. You can use these vulnerability types while creating a custom plugin. To define a custom vulnerability type, complete the following steps: ![Creating Custom Vulnerability Type](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ast_policies_vulnerability_types_custom.png) Creating Custom Vulnerability Type 1. In the page’s top right corner, click **Create**. 2. In the **New Vulnerability Type** pop-up window, complete the following: - Specify a **Name** for the vulnerability type. - (Optional) Modify the **Unique Identifier** Traceable automatically generated based on the name you specified above. - Select the **Severity** of the vulnerability type. - Specify the **Description**, **Mitigation**, **Impact**, and **References** for the vulnerability type. - Specify the **CVSS Score**. - Specify the **CVSS String**. - Select the **Estimated Fix Time**. - Specify the **Estimated Bounty Value**. - Click **+ Add Tag** and specify the *Key* and *Value* for custom labels that you wish to assign to the vulnerability. - Click **Save**. > [!NOTE] > Note > > The **Name**, **Unique Identifier**, and **Tags** cannot be modified post-creation. You can view the created vulnerability type under the **Custom** tab. You can also click the **Ellipse** (![traceable_ellipse_icon](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ellipse_icon.png)) icon corresponding to a vulnerability type to edit or delete it.