Efficient debugging is crucial for ensuring the reliability and functionality of software and mobile applications. It allows developers to trace and fix errors, enhancing the overall code quality and user experience. Debugging also contributes to time and resource efficiency by reducing the need for extensive manual testing and troubleshooting.
It might seem natural to assume that severe problems deserve priority. But in software testing, that's not necessarily the case. There are important differences between severity and priority in testing, and understanding how to assess both the severity and priority levels of bugs is a critical skill for QA engineers.
Keep reading for a dive into bug severity and priority, including how the concepts are similar and different, how to manage different severity and priority levels, and best practices for debugging based on severity and priority scores.
In software testing, severity measures how significantly a bug impacts an application or system. Bugs that are more disruptive than others receive higher severity scores. By assessing severity levels, QA engineers can accurately determine how problematic a bug could potentially be.
For example, a bug that prevents an application from starting would be marked with a high severity level, because it totally stops users from being able to use the application. In comparison, a bug that causes text to appear in the wrong font would be a low-severity issue, since it's unlikely to cause a serious disruption to most, if any, users.
Likewise, in the context of security testing, a bug that enables remote attackers to execute arbitrary code and does not require privileged access would be a severe one, because it would allow basically anyone to connect to an application and take total control of the host system. By contrast, a security flaw that only allows attackers to disable a non-critical feature within an app would not be very severe.
Different testing teams and bug databases use different systems for rating the severity level of bugs. For instance, the Common Vulnerability Scoring System, or CVSS, which is used by NIST and other organizations to track the severity level of security vulnerabilities, rates each vulnerability's severity on a scale between 0 and 10. In other cases, bugs might be grouped from a severity perspective into categories like "low," "medium," and "high." There are no universal severity scoring standards.
TL;DR
High severity bugs or 7-10 have major impact on the software, potentially leading to system crashes, data loss, or severe disruptions. Immediate resolution is essential to ensure the integrity of the application.
Medium severity bugs or 4-6, while not as critical as critical severity bugs, still have a significant impact on the software's functionality. Resolving major severity bugs is a high priority to maintain a reliable and user-friendly application.
Low severity bugs or 1-3 have a noticeable but non-critical impact on the software. These issues may include cosmetic imperfections or non-essential functionalities that are not working as intended.
The system to assign the severity of bugs will differ from team to team. Some teams may use critical instead of high or even use a system that has both critical and high, etc.
Priority is a determination of the order in which a bug should be fixed by developers if the bug exists alongside other unresolved software issues. The higher a bug's priority level, the sooner developers should devote time and effort to fixing it.
Priority is determined by two key factors:
How much of an impact the bug has on users and/or the business as a whole: Some bugs may not be a priority because the apps they impact are not used by many people or are not very important to the business.
How likely it is for the conditions that cause the bug to occur: If bugs only occur under system configurations that are rare, or if they occur only when users perform a set of actions that few users actually carry out, the bug will likely not be deemed a high-priority issue.
This is why bugs that receive a high severity rating may receive a lower priority rating. A flaw that severely disrupts the user experience might not be a priority if only a handful of users actually experience it because it only occurs under rare circumstances.
For example, imagine a security vulnerability that allows attackers to take full control of a server, but that they can only exploit if they have physical access to the server. This would be a severe vulnerability, given that it allows threat actors to take over a system completely. However, since servers are typically hosted in secure environments with strong physical security controls, this bug might not receive a high priority score because it's unlikely that attackers would actually exploit it.
Developers might give higher priority to fixing security vulnerabilities that do not give attackers full control over target systems but that can be exploited over a network connection, since network-based attacks tend to be much more prevalent than physical security breaches.
As with severity scores, there is no universal standard for scoring the priority level of a bug in software testing. That said, it's common for testing teams to categorize bugs into priority levels like "low," "medium," and "high."
TL;DR
High bug priority or 7-10 is assigned to issues that severely impact the functionality of the software, causing significant disruptions or hindering core features. These bugs require immediate attention to ensure the system's functionality.
Medium priority bugs or 4-6 have a noticeable impact but may not be as critical as high-priority issues. They are addressed after high-priority bugs.
Low priority bugs or 1-3 are generally minor issues or cosmetic imperfections that do not significantly affect the overall functionality of the software.
But remember, bug priority is subjective and may vary depending on the project, business goals, and user needs.
The main difference between severity and priority is that severity measures how much of an impact a bug has on an application or system, while priority measures how much of an impact the bug has on an organization or users who use the app or system.
To be more specific, severity and priority are different in the following respects:
Severity reflects how much a flaw disrupts the usability of software, whereas priority reflects how much the software matters to the business and/or how likely it is for a flaw to occur.
Severity is (at least in theory) an objective measure of a bug's impact, and severity levels should be the same across organizations. In contrast, priority levels are subjective and may be different for different users or businesses.
Severity implies nothing about when developers should fix a bug, but priority does shape how quickly they should create and deploy a fix.
| What it measures | How it's determined | What it means for developers |
Severity | How much a bug disrupts software | By assessing how severely a bug disrupts the performance or usability of software | Nothing in particular |
Priority | How much of an impact a bug has on an organization that uses software | By assessing how much harm a bug is likely to cause to an organization if left unaddressed | Helps determine how quickly developers must implement a fix |
To understand what severity and priority levels mean in practice, let's look at examples of different combinations of severity and priority ratings and how teams would typically react to them.
Imagine you have a bug that causes an application not to work at all, but the app is rarely used by your organization. This is an example of a high-severity, low-priority bug.
In this case, you should take note of the bug so that you can anticipate it happening on the rare occasions when it occurs. But you will not want to have your developers prioritize fixing the bug.
Now, imagine you have a bug that causes a mission-critical app to be unusable. This is a high-severity, high-priority bug that you'll want to fix as soon as possible.
A relatively minor flaw in an application that is used day in and day out by your business is an example of a low-severity, high-priority bug. This is also one that your developers should fix as quickly as possible, even though the impact of the flaw itself might seem minor.
You should document the existence of low-severity, low-priority bugs, such as a minor flaw in a rarely used app. But they should not take precedence over higher-priority bugs when applying fixes. And if your developers have spare time, such that they can address lower-priority bugs, it makes sense to address high-severity, low-priority bugs before low-severity, low-priority ones, because fixing major issues (even if they are of a low priority) is more impactful than fixing minor issues.
QA teams and developers don't require any special tools for measuring severity and priority in software testing. Any comprehensive test strategy is compatible with severity and priority scores. Using manual and/or automated tests, engineers identify bugs, discuss them with stakeholders (such as business partners and product managers), and finally, assign severity and priority scores to them. Platforms like Sauce Labs make it so teams can spend less time finding and fixing bugs and more time creating innovative user experiences.
That said, because severity and priority scores require a nuanced assessment of the significance of flaws, there is no way to fully automate the process of generating the scores. Engineers can use automated debugging tools to collect some metrics – such as how long of a performance delay a bug creates or how many real-world users interact with a feature that is impacted by a bug – and factor them into severity and priority level calculations. But at the end of the day, these assessments require human impact that reflects an understanding of how significantly a given flaw impacts users and the business.
To get the most out of bug severity and priority assessments, consider the following practices:
Collaborate with developers: QA teams typically take the lead in discovering and assessing bugs, but developers are the ones who have to fix them. They will also usually have more insight into how long it will take to address a bug. For both reasons, QA engineers should collaborate with developers when assessing severity and priority.
Don't be afraid to revise: Although QA teams should endeavor to make accurate initial assessments of both severity and priority, it's possible that information they did not at first consider might necessitate a change to either score. Don't be afraid to update in that case.
Consider temporary workarounds: Fixing bugs, especially high-priority ones, should always be your ultimate goal. But sometimes, fixes take too long to apply, and workarounds – such as temporarily disabling a configuration option that triggers a bug – are the best way to mitigate the impact of a flaw until it's fixed definitively.
Employ metrics-based assessments: As noted above, severity and priority assessments are too dependent on nuanced circumstances to be automated fully. Still, QA teams can and should factor in quantitative test data and other metrics in a consistent way when making assessments. For example, metrics about how often an application's feature is used should play a consistent role in setting bug priority scores.
Bug severity and priority are related concepts, but they serve distinct purposes. High-severity bugs may not be high-priority bugs, and vice versa. Making accurate assessments of both aspects of a bug is essential for making the right decision about when to devote developer resources to fixing it.
Sauce Labs offers a suite of debugging tools that enable efficient and cost-effective debugging for web and mobile applications across the entire SDLC, from production to post-release. The Sauce Labs Real Device cloud makes it easy to test software on different devices, both on real devices and emulators/simulators, and across different browsers to catch bugs sooner.