Bugcrowd Blog

Bugcrowd's Vulnerability Rating Taxonomy Goes Open Source

Posted by Ryan Black on May 8, 2017 11:30:00 AM

This week we have some exciting news related to our latest Vulnerability Rating Taxonomy (VRT) release!

Holding true to our outsourced model, we made the decision to accept outsourced taxonomy insight by releasing our VRT as an open source tool through GitHub.

Our Vulnerability Rating Taxonomy (VRT) is a dynamic resource outlining Bugcrowd’s baseline priority rating for the vulnerabilities most often seen within the vulnerability assessment space. As the application threat landscape is ever changing, it is important we continuously update our VRT to reflect the current vulnerability trends. Therefore, we’ve decided to partner with you, the security community at large, to help provide a more diverse perspective and keep the VRT current and reflective of market needs.

Why Open Source

Each week several members of the Bugcrowd team hold an hour-long vulnerability roundtable where they discuss new vulnerabilities, edge cases for existing vulnerabilities, priority level adjustments, and questions around general bug validation. This roundtable has proven to be a valuable tool in the creation and maintenance of the VRT. But now we want to open up this roundtable to include the expertise of the larger bug bounty community.

We look forward to this meeting each week and believe that open sourcing will not only benefit our VRT, it will empower the community to take part in a full dialogue with our team and influence the way we shape and expand our taxonomy to address vulnerabilities beyond web applications. As such, we welcome everyone to take a seat at the Vulnerability Roundtable with us.

How it Works

To submit a suggested change, go to github.com/bugcrowd/vulnerability-rating-taxonomy.

We encourage you to provide as much detail around your suggestion as possible. What is your suggested change? What gap or issue do you think it fixes and why? The more information that the Bugcrowd team has, the easier it is to incorporate feedback and create the better revisions. (You can find more detailed instructions here.)

Even if your revision is not immediately incorporated, every piece of information is extremely valuable and key in shaping the VRT. We look forward to expanding the VRT, creating an even better tool for the bug bounty industry.

VRT 1.1 Updates

Our latest version, VRT 1.1, introduces substantial revisions including additions to server security misconfigurations, XSS, and CSRF, some priority changes, and a few minor subtractions. To keep up with all changes and view the full details of the VRT 1.1 updates subscribe to our GitHub VRT changelog.

The VRT is a living document that will evolve and update over time. The most up-to-date version can always be found at bugcrowd.com/vrt. We welcome your questions and feedback at vrt@bugcrowd.com!

Product Updates
Ryan Black

Written by Ryan Black

Director of Technical Operations at Bugcrowd.