New Feature! VRT-enabled submission form drives enhanced vulnerability reporting
Using the VRT-enabled submission form, Bugcrowd researchers are now able to select a customer-specified target and identify vulnerabilities based on our comprehensive VRT classification. This reduces effort for all parties and ultimately speeds up prioritization and management of vulnerabilities for our customers.
By integrating the VRT, both customers and researchers are benefiting from:
- An enhanced vulnerability classification system, reducing ambiguity about the severity or impact
- A reduction in time to triage, validate, and prioritize vulnerabilities
- Improved alignment of expectations for priority or payout of rewardable submissions
This feature is now live in Crowdcontrol, so keep an eye out for more enhancements to program reporting and filtering capabilities in the near future!
Vulnerability Rating Taxonomy Classification:
The Vulnerability Taxonomy Rating (VRT) is a detailed taxonomy of vulnerability types with suggested priority ratings for each. Each item in the taxonomy has a baseline technical severity. The taxonomy is now fully integrated into our Crowdcontrol platform delivering an improved and more granular classification of the vulnerabilities submitted to your program.
Through the VRT, customers will see immediate and improved alignment of technical severity to submitted vulnerabilities. In addition, it enables more transparent communication with researchers through suggested technical severity of the vulnerability – as seen below – enabling clearer expectations from start to finish. This suggested priority is also provided to our Security Engineering Team for review during the triage process thereby decreasing the average triage time for customer programs’ submissions.
For more detailed information on the VRT classifications, our baseline technical severity for each, and a detailed methodology please visit the Bugcrowd VRT page.
We have also added a selectable drop-down target list to the vulnerability submission form providing researchers the ability to select from all in scope targets on your program. This field requires researchers to attach a target to each submission helping deliver a clear picture of the specific target affected by the submitted vulnerability.
Note: This field will only provide researchers the ability to select targets that are within the bounty scope; all submissions selected with a target labeled as ‘other’ are considered out of scope and may be ineligible for a reward.
Any thoughts, ideas, or questions? We’d love to hear from you at firstname.lastname@example.org or @Bugcrowd.