Per OWASP, likelihood or difficulty is a rough measure of how likely or difficult this particular vulnerability is to be uncovered and exploited by an attacker.
OWASP proposes three Likelihood levels of Low, Medium, and High.
Trail of Bits, for example, classifies every finding into four difficulty levels:
- Undetermined: The difficulty of exploit was not determined during this engagement
- Low: Commonly exploited, public tools exist or can be scripted that exploit this flaw
- Medium: Attackers must write an exploit, or need an in-depth knowledge of a complex system
- High: The attacker must have privileged insider access to the system, may need to know extremely complex technical details or must discover other weaknesses in order to exploit this issue
- OWASP
- Low
- Medium
- High