We are thrilled to announce the newest release of our Vulnerability Rating Taxonomy, VRT 1.5!

Updates made in this release are largely contributed to insights collected from the broader security community. In 2017, we decided to accept outsourced feedback by releasing our VRT as an open-source tool through GitHub. Since then, we’ve received an overwhelming amount of support from you, the broader security community, to keep the VRT up-to-date with the current application threat landscape.

Using these insights, coupled with our experts (VRT Council) and extensive data, the latest VRT release (version 1.5)  includes the following updates:

  • Improving transparency by adding multiple entries for commonly reported issues
  • Aligning the baseline severity rating to best reflect the market by increasing taxonomy granularity

The AppSec landscape is continually changing as is the risk associated with various vulnerabilities. An excellent example of that is Flash nearing the end of its life. During this latest VRT release, we have taken time to reflect on how this is affecting the security risk of vulnerabilities requiring Flash including some cases of XSS or open redirects.

We know that one size doesn’t always fit all. Because of this, we work with our customers to help them define any potential deviations from our VRT as well as any other program brief customizations.

The VRT 1.5 update will be implemented into the Crowdcontrol platform the week of September 27th. Before then, if you are running a program with Bugcrowd, we suggest you review the VRT changes and your program brief to make any adjustment necessary.

What is the Vulnerability Rating Taxonomy (VRT)?

Created with consideration of common vulnerability standards such as the OWASP, the VRT is a living document that is continuously evolving to best provide a baseline priority rating system for vulnerabilities reported within our platform, Crowdcontrol. Our VRT Council consists of several members of the Bugcrowd team who meet each week to discuss vulnerability edge cases, improving vulnerability classification, and all external feedback from the official VRT GitHub repository. Open sourcing our VRT enables us to keep our ear to the ground, ensuring that the taxonomy aligns with the market.

At any time, you can visit the changelog to keep up to date with a detailed list of changes made to the VRT. We also encourage you to follow our repository and contribute to it in any way you can.  

Managing the VRT as a living document has proven to be an effective strategy for us, as the security landscape is constantly evolving. We want to thank everyone involved in this project and are off to start work on even more improvements!