This week we released a substantial update to our VRT! 

Our latest Vulnerability Rating Taxonomy (VRT) release 1.0 is the culmination of feedback and learnings since its original release in February 2016. As bug bounties have continued to evolve, expanding from web applications to IoT and automotive applications, our VRT has evolved as well.

The biggest update in this release is more clearly defined top-level categories (i.e. Server Security Misconfiguration) that are not dependent on target types but applicable across technologies (i.e. auto, IoT, web). This will help us map to other taxonomies (i.e. OWASP, DISA STIG) in the future.

This release also provides more flexibility for the prioritization of some vulnerabilities that have context-dependent severity ratings. For example, the criticality of an Insecure Direct Object Reference vulnerability is heavily dependent on accessible information and context. It can vary in priority from P4 to P1.

To see more examples of these vulnerabilities, check out our new web-based Taxonomy which we released along with embedded taxonomy in all submissions forms.

Additional updates:

  • Server and Client-Side Injection are now distinct categories
  • Client-Side Injection, IDOR and CSRF are prioritized by context without default priority
  • GET-based Open Redirect variant priority is now set by authentication requirement
  • TRACE-based XSS is now a P5

The VRT is a living document that will evolve and update over time. The most up-to-date version can always be found at We welcome your questions and feedback at!