Today we are excited to announce the latest version of our Vulnerability Rating Taxonomy – VRT 1.2.

Each week several members of the Bugcrowd team hold a vulnerability roundtable where they discuss vulnerability edge cases, improving vulnerability classification, questions around general bug validation, and all external feedback from the official VRT GitHub repository. This year we decided to open source our taxonomy and encourage continuous feedback to gain additional insight from the public.

After months of internal discussion and the help from our open sourced community, we’ve made significant changes to our VRT. In addition, we’ve packaged our VRT into a Ruby Gem!

VRT 1.2 Updates

The new update of the VRT includes the following changes:

  • Priority Adjustments – The most notable changes include GET-based open redirects now set as P4, as well as all existing weak password policies as P5 – informational.
  • Additions –  VRT 1.2 adds classification for new types of issues, as well as multiple P5 Informational entries primarily originating from the “Common ‘Non-qualifying’ Submission Types” section of the Bugcrowd Standard Disclosure Terms.
  • Minor Modifications – Minor updates include editorial improvements to increase the clarity of our taxonomy and align it with the security industry.

To keep up with all changes and view the full details of the VRT 1.2 updates subscribe to our repository or view the VRT changelog.

VRT Ruby Gem

Our newest version of Vulnerability Rating Taxonomy has been packaged up with a Ruby Gem to help seamlessly implement the VRT logic into your applications. This gem enables you to easily utilize the VRT within your workflow, such as cross-referencing vulnerabilities against our taxonomy or quickly mapping across different versions.

To access and learn more about our VRT Ruby Gem click here.

The VRT is a living document that will evolve and update over time. The most up-to-date version can always be found at We welcome your questions and feedback at!