The Vulnerability Rating Taxonomy (VRT) is a living project that is continually updated thanks to contributions from the broader security community to our open-sourced GitHub repository. Today, Bugcrowd is thrilled to announce the culmination of these most recent efforts, VRT 1.8.
Server Security Misconfigurations make up nearly 25% of all vulnerabilities submitted to the Bugcrowd platform, though they vary widely in severity depending on context and impact. VRT 1.8 adds new entries around Server Misconfiguration, to better capture specific cases of race conditions and cache poisoning. In an effort to assist in the mitigation of such vulnerabilities, the VRT also includes remediation advice for these entries.
Indicators of Compromise
In addition to helping organizations resolve security vulnerabilities before exploitation, Bugcrowd is also keen to help them more rapidly address potential points of compromise. To this end, VRT 1.8 introduces a new category, “Indicators of Compromise,” which allows researchers to signal to customers when they believe they have found evidence that a target has already been compromised by another actor.
Mobile Security Misconfiguration
Adding new VRT entries helps address new environments, risks, and strategies, but it is equally important to continually assess the effectiveness, relevance, and impact of existing categorizations. VRT 1.8 removes two subcategories under ‘Mobile Security Misconfiguration – Clipboard Enabled,’ and makes the category as a whole P5. These represent cases that could be categorized as vulnerabilities in a mobile OS, but aren’t vulnerabilities in any application. Ultimately, it was determined that these entries had a potentially negative impact on security as they discouraged the use of password managers in many cases. However, this category persists in its new classification in 1.8 (P5- won’t fix) as researchers often report these issues as vulnerabilities.
To enumerate the above and to capture any outstanding, the updates to VRT 1.8 include:
- server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain name changed from “Email Spoofing on non-email domain” to “Email Spoofing on Non-Email Domain”
- mobile_security_misconfiguration.clipboard_enabled priority changed from null to P5 (due to children removal)
We know that every company has different priorities and needs. Because of this, we work with our customers to help them define any potential deviations from our VRT as well as any other program brief customizations.
The VRT 1.8 update will be implemented into the Crowdcontrol platform today, October 23rd, 2019.
What is the Vulnerability Rating Taxonomy (VRT)?
Created with consideration of common vulnerability standards such as the OWASP, the VRT is a living document that is constantly evolving to best provide a baseline priority rating system for vulnerabilities reported within our platform, Crowdcontrol. Our VRT Council consists of several members of the Bugcrowd team who meet each week to discuss vulnerability edge cases, improving vulnerability classification, and all external feedback from the official VRT GitHub repository. Open sourcing our VRT enables us to keep our ear to the ground, ensuring that the taxonomy aligns with the market.
At anytime, you can visit the changelog to keep up to date with a fully detailed list of changes made to the VRT. We also encourage you to follow our repository and contribute to it in any way you can.
Managing the VRT as a living document has proven to be an effective strategy for us, as the security landscape is constantly evolving. We’d like to thank everyone involved in this project and are off to start work on even more improvements!