Many companies and enterprises use the Common Vulnerability Scoring System (CVSS) as their unified metric to measure the severity of vulnerabilities found within their applications and infrastructure. To enable more seamless use of the CVSS on the Bugcrowd Platform™, we are excited to announce that customers can now customize mappings between the CVSS and Bugcrowd’s Vulnerability Rating Taxonomy (VRT). The VRT is an open-source, industry-standard taxonomy that aligns customers and hackers on a common set of risk priority ratings for vulnerabilities we see often, as well as edge cases.

This means the VRT severity levels (P1–P5) will be filled automatically within a submission after a CVSS score has been assigned to it. This enables standardization across the CVSS and the VRT streamlining how security teams manage vulnerabilities. 

How it works

To set your mappings, go to the CVSS v3.1 section in Security Program Settings > Submissions and move the slider to right for the Common Vulnerability Scoring System v3.1 Calculator option. This should then allow you to move the slider to the right for Map CVSS to Bugcrowd’s technical severity. This customized mapping is available for each security program.

After enabling the CVSS calculator and mapping technical severity, you can go to any submission, add a CVSS score, and then see the prefilled VRT severity level based on your customized mapping. 

For more information on how you can make the most of our customizable CVSS score mapping, check out our Mapping CVSS to Bugcrowd’s Technical Severity customer documentation.