Over a month ago, Bugcrowd published its Vulnerability Rating Taxonomy (VRT). We created the VRT to expose the community to common technical priority ratings for certain classes of bugs. Since its release, we have received a tremendous amount of feedback.
Based on this feedback, we have divided the Cross-Site Scripting (XSS) entries to provide additional granularity that captures priority variations for XSS within applications with multiple user privilege levels.
When XSS is exploited within such applications, understanding the context of both the attacker and victim is essential in determining an appropriate priority value.
Why is this the case?
Situations where a lower privilege user can XSS a higher privilege user have the most severe impact. These include a non-admin attacking an admin and an unauthenticated user attacking an authenticated user. Situations where a higher privilege role can XSS a lower privilege role are usually less severe, especially when there’s a manual provisioning process or other barriers to access for higher privilege accounts.
There were several scenarios identified that led to the new implementation:
- Stored XSS, Non-Admin to Anyone = P2 [Elevation of privilege]
- Stored XSS, Admin to Anyone = P3 [Spoofing]
- Stored XSS, Self = P5
- Reflected XSS, Non-Admin to Anyone = P3 [Elevation of privilege]
- Reflected XSS, Admin to Anyone = P4 [Spoofing]
- Reflected XSS, Self = P5
Today, we are updating the VRT to reflect these insights and look forward to your feedback. As always, we want to remind users of the VRT that it is only meant to convey a baseline suggestion. Ultimately, the final decision regarding a bug’s priority is completely up to the client and the age-old guidance of “If you get value from a submission, reward the submitter!” always applies.