The only way for a security team to effectively manage risk is vulnerability prioritization and management. There are many different prioritization models used across the industry that are based on vulnerability risk and impact. Without a clear prioritization model, how do you know what to fix first? Highest CVSS Score? FIFO? LIFO? Externally known issues? Whatever your prioritization plan is, it needs to be documented and updated as threats to your business change.
At Bugcrowd, all valid bugs are assigned a priority rating based on the severity of the security impact - higher severity issues that are rated as Critical such as SQLi resulting in remote code execution receive higher rewards than low severity issues. Note that this is our prioritization framework for web application vulnerabilities in managed programs, and may be modified by individual customers based on their business priorities and risk tolerance. Host Infrastructure, Mobile OS or Apps, IoT, and desktop application bounty programs are adjusted appropriately.
P1 – CRITICAL - 40 kudos points
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: vulnerabilities that result in Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.
P2 – HIGH - 20 kudos points
Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.
P3 – MEDIUM - 10 kudos points
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact.
P4 – LOW - 5 kudos points
Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content.
P5 – BIZ ACCEPTED RISK - 0 kudos points
Non-exploitable weaknesses and “won’t fix” vulnerabilities. Examples: Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.
We encourage customers to customize this priority model for their business and publish it in their bounty brief with minimum reward amounts for submissions at each level. This helps researchers know what to expect up front, and makes the reward phase of submission validation a lot faster.