Severity Levels
What critical, high, medium, and low severity findings mean, and how to prioritize them.
Every finding has a severity level. Use severity to decide what to fix first.
Critical
Fix immediately before shipping. Critical findings are things that will either break your app entirely or expose serious security vulnerabilities. Examples:
- Hardcoded production secrets in committed code
- Missing auth on admin routes
- Database accessible without authentication
High
Fix before your first users arrive. High findings won't necessarily break everything, but they'll cause significant problems soon after launch. Examples:
- Missing error handling on payment flows
- API routes that crash on unexpected input
- No rate limiting on public endpoints
Medium
Fix in your first week after launch. Medium findings are real problems but not emergencies. Examples:
- Missing loading states on slow operations
- Inadequate test coverage on non-critical paths
- Minor security hardening gaps
Low
Fix when you have time. Low findings are improvements and best practices. Examples:
- Code style inconsistencies
- Missing JSDoc on internal functions
- Minor performance optimizations
Prioritization rule of thumb
Critical blockers → High security → High deploy → everything else
Don't get distracted by medium/low findings if you still have critical issues open. FinishKit's default sort puts the most urgent things at the top.