Bugcrowd Blog

Consistency is Key: Aligning Bugcrowd’s VRT with CVSS

Posted by Travis Andrade on Oct 10, 2017 10:00:00 AM

We are proud to announce the newest Crowdcontrol update, which now maps the open standard Vulnerability Rating Taxonomy (VRT) to the Common Vulnerability Scoring System (CVSS) v3, allowing organizations to manage submission severity with CVSS v3!

Many customers utilize CVSS as their unified metric to measure the severity of vulnerabilities found within their applications and infrastructure. Our latest update to Crowdcontrol provides customers with the ability to rate issues with CVSS v3 and adds a mapping to Bugcrowd’s VRT, aligning the two scoring models. By mapping the two scoring systems, customers will be able to quickly obtain a default CVSSv3 score for all new submissions, saving valuable time and effort.

How It Works

As always, once a vulnerability is validated and assigned by our Application Security Engineering team, a suggested priority rating based on our VRT is assigned.

Now, if enabled, a CVSS score will be added to the submission automatically as a suggestion!

Screen Shot 2017-10-03 at 12.45.58 PM.png

 

The CVSS score can be manually adjusted if required by selecting the edit tool.

Screen Shot 2017-10-03 at 12.48.28 PM.png

After clicking the edit icon, the CVSS v3 calculator will pop up within Crowdcontrol & allow the user to set a CVSSv3 score based on the parameters set within the calculator.

Screen Shot 2017-10-03 at 1.03.53 PM.png

 

Take a look at our product documentation for additional details and to learn how to configure the CVSS feature.

VRT 1.3 Updates

The new update of the VRT includes the following changes:

  • Addition of VRT to CVSS v3 mapping
  • Addition of the Broken Access Control category, aligned with the OWASP top 10 2017 release candidate
  • Revisions of VRT entries providing better transparency for researchers and consistent triaging guidance

The VRT is a living document that will evolve and update over time. You will find the most up-to-date version on bugcrowd.com/vrt.

What is the Vulnerability Rating Taxonomy (VRT)?

Created with consideration to common vulnerability standards such as the OWASP, the VRT is a living document that is constantly evolving to best provide a baseline priority rating system within our platform, Crowdcontrol. Each week several members of the Bugcrowd team hold a vulnerability roundtable where they discuss vulnerability edge cases, improving vulnerability classification, questions around general bug validation, and all external feedback from the official VRT GitHub repository. Open sourcing our VRT enables us to keep our ear to the ground, ensuring that the taxonomy aligns with the market.

To keep up with all changes and view the full details of the VRT 1.3 updates subscribe to our repository or see the VRT changelog.

Product Updates
Travis Andrade

Written by Travis Andrade