skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Vulnerability Rating Taxonomy

For Faster

Bugcrowd’s VRT is a widely-used, open source standard, offering a baseline risk-rating for each vulnerability submitted via Crowdcontrol. The VRT directly maps to the CVSS taxonomy.



Aligns customers and hackers with a common taxonomy.



Creates tighter matching between actual risk and the taxonomy rating.



Focuses efforts on remediating vulnerabilities rather than prioritizing bugs.


The VRT is superior to alternative taxonomies in four critical areas, and integrates with industry best practices such as CVSS.



Provides a baseline for the technical nature of each bug submission.



Unparalleled granularity aligns with real-world application security exploits.


Open sourced, mapped to CVSS, and curated weekly by Bugcrowd experts.


Quickly identify the impact of vulnerabilities without a complicated calculator.

Bugcrowd Maps To CVSS

Bugcrowd supports CVSS (Common Vulnerability Scoring System) as well as VRT. A CVSS score is automatically generated within the Crowdcontrol platform as soon as the submission has been assigned a VRT rating. If you choose to do so, the CVSS score can be adjusted by using the built-in CVSS 3.0 calculator in Crowdcontrol.

Implications for Customers

Our VRT helps customers provide clear guidelines and reward ranges to Hackers hunting on their programs. When vulnerabilities are ready to be fixed, customers receive VRT-mapped remediation advice to help fix what’s found, faster. For more information on our priority rating and worth of a bug, read our recently launched guide “What’s A Bug Worth“.

Implications for Bug Hunters

Our VRT helps Hackers compartmentalize and target specific vulnerability types, based on their objective priority to Bugcrowd customers. We hope that being transparent about the typical priority level for various bug types will help program participants save valuable time and effort in their quest to make bounty targets more secure.

Interested in becoming a Bugcrowd researcher? Join the crowd.

Free Guide

The Ultimate Guide to Managed Bug Bounty

A comprehensive guide to crowdsourced security and the how to implement a successful managed bug bounty program as part of your application security strategy.
Learn More


Join us at RSA 2022

Join top cybersecurity leaders and a dedicated community of peers as we exchange the biggest, boldest ideas that will help…

Register Now
Cyber Security Summit DC Metro

Join Bugcrowd’s Virtual Booth at Cyber Security DC Metro and Catch Murtaza Hafizji’s Speech at 3PM EST.

Register Now
Cyber Security Summit Chicago

Join Bugcrowd’s Virtual Booth at Cyber Security Chicago and Catch Murtaza Hafizji’s Speech at 3PM EST.

Register Now
Back To Top