We are constantly iterating our Vulnerability Rating Taxonomy (VRT), incorporating our learnings into each version update. We are thrilled about our newest release, VRT 1.4, as we received an abundance of constructive feedback through our open-sourced GitHub repository.
The upcoming release of our VRT 1.4 includes:
- Added new entries that address missing, but commonly reported classes of issues.
- Removed a few entries to keep our taxonomy clean, clear and concise.
- Updated entry names to reduce ambiguity that has surfaced during Bugcrowd daily operations.
- Increased granularity to assist our ASEs with more precise triage guidance. For example, the Weak Login Function subcategory was revamped to include five carefully selected variants.
- Minor baseline severity rating adjustments.
- Added Common Weakness Enumeration (CWE) mapping.
- Added Remediation Advice mapping.
We know that one size doesn’t always fit all. Because of this, we work with our customers to help them define any potential deviations from our VRT as well as any other program brief customizations.
The VRT 1.4 update will be implemented into the Crowdcontrol platform the week of May 7. Before then, we suggest you review the VRT changes and your program brief to make any adjustment necessary.
What is the Vulnerability Rating Taxonomy (VRT)?
Created with consideration of common vulnerability standards such as the OWASP, the VRT is a living document that is constantly evolving to best provide a baseline priority rating system for vulnerability reported within our platform, Crowdcontrol. Our VRT Council consists of several members of the Bugcrowd team who meet each week to discuss vulnerability edge cases, improving vulnerability classification, and all external feedback from the official VRT GitHub repository. Open sourcing our VRT enables us to keep our ear to the ground, ensuring that the taxonomy aligns with the market.
At anytime, you can visit the changelog to keep up to date with a fully detailed list of changes made to the VRT. We also encourage you to follow our repository and contribute to it in any way you can.
Managing the VRT as a living document has proven to be an effective strategy for us, as the security landscape is constantly evolving. We’d like to thank everyone involved in this project and are off to start work on even more improvements!