skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

VRT v1.10 Released: Flash downgrades and extended automotive categorization

VRT V1.10 Released: Flash Downgrades And Extended Automotive Categorization

In our tenth release of the Vulnerability Rating Taxonomy (VRT), we’re continuing to meet the goals we prioritized from the start:

  • Collaborate with the community to collect feedback and expertise to drive improvement
  • Maintain a taxonomy that reflects  the latest changes in our ecosystem
  • Enable vulnerability category-based workflows through ease of mapping

Driving further categorization within Automotive

With the vulnerability categorization being central to many security teams’ reporting, it’s essential to get the insight and visibility needed to make decisions. That’s why we partnered with Stellantis to add twenty automotive specific vulnerabilities across CAN, ABS, RSU, and infotainment systems. This builds upon the efforts in 2019 to support v1.7 in creating the initial `Automotive Security Misconfiguration` category, and we look forward to the community’s ideas on how to further improve.  

Reducing impact of Flash with end of life

As Adobe announced Adobe Flash’s end of life on December 31, 2020, all major browsers have coordinated to disable Flash from running. Due to strong mitigation plans upstream at the browser to disable end-users interaction with Flash, we’ve downgraded all Flash-based entries to P5.

Train to reduce repeat vulnerabilities

Fixing a vulnerability is good, but training a team to reduce the chance of it happening again is better. That’s why we’ve partnered with Secure Code Warrior to link each of our categories to their applicable training. Leveraging mappings to VRT is a breeze thanks to our Ruby client that does all the hard-lifting of mapping and deprecating classification so you can easily find the CWE, CVSS, Remediation Advice and soon, the Secure Code Warrior mapping for any classification.

Platform Launch

V1.10 will be available throughout the platform the week of April 12th. This is included but not limited to all program’s submissions forms, reporting, filtering and our Ruby client.

Celebrating our tenth version

Over the past four years we’ve seen over a hundred issues opened up to the community, ultimately driving updates to improve categorization, impact, and remediation understanding across all users who leverage the Vulnerability Rating Taxonomy. Thank you to all who have provided feedback! 

Check out the latest version and stay attuned to what’s next by subscribing to future discussions.

Tags:
Topics:

Barnett Klane

Senior Product Manager at Bugcrowd.

Back To Top