We are always updating our Vulnerability Rating Taxonomy (VRT), integrating our learnings into each version update. We are thrilled to announce our latest release, VRT 1.7 in response to our community’s ongoing feedback through our open-sourced GitHub repository.

Security misconfiguration can stem from a very simple error, but at the same time can lead to devastating cyber attacks. The latest version of VRT for the first time includes specific security misconfiguration vulnerabilities for the automotive industry.

Today’s cars have all of the security issues of a modern data center, compounded by the rapid changes in the industry and the massive complexity of the technology infrastructure behind every car. For the automotive industry, we’ve seen nearly 10,000 vulnerability submissions over the past year, with an average priority of 2.58. Average payout for a P1 is $4,417. The automotive security misconfiguration updates to VRT 1.7 reflect the massive uptick in reported critical vulnerabilities and the importance the industry is placing on security.

Other Updates to VRT 1.7 include, but are not limited to:

  • Added Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning as a new P2 variant, which is consistent with how this issue has been triaged by Bugcrowd’s Application Security Engineers so far.
  • Two new P4s:
    • Insufficient Security Configurability > Weak 2FA Implementation > 2FA Secret Cannot be Rotated
    • Insufficient Security Configurability > Weak 2FA Implementation > 2FA Secret Remains Obtainable After 2FA is Enabled
  • Updated Remediation Advice links to latest OWASP Documentation

We know that every company has different priorities and needs. Because of this, we work with our customers to help them define any potential deviations from our VRT as well as any other program brief customizations.

The VRT 1.7 update will be implemented into the Crowdcontrol platform the week of March 25th. Before then, if you are one of Bugcrowd’s customers, we suggest you review the VRT changes and your program brief to make any adjustment necessary.

What is the Vulnerability Rating Taxonomy (VRT)?

Created with consideration of common vulnerability standards such as the OWASP, the VRT is a living document that is constantly evolving to best provide a baseline priority rating system for vulnerabilities reported within our platform, Crowdcontrol. Our VRT Council consists of several members of the Bugcrowd team who meet each week to discuss vulnerability edge cases, improving vulnerability classification, and all external feedback from the official VRT GitHub repository. Open sourcing our VRT enables us to keep our ear to the ground, ensuring that the taxonomy aligns with the market.

At anytime, you can visit the changelog to keep up to date with a fully detailed list of changes made to the VRT. We also encourage you to follow our repository and contribute to it in any way you can.  

Managing the VRT as a living document has proven to be an effective strategy for us, as the security landscape is constantly evolving. We’d like to thank everyone involved in this project and are off to start work on even more improvements!