vulnerability-rating-taxonomy
vulnerability-rating-taxonomy copied to clipboard
bugcrowd
Bugcrowd’s baseline priority ratings for common security vulnerabilities
Hello, I am proposing we remove "Broken Access Control (BAC) > Server-Side Request Forgery (SSRF) > External" from the VRT for the following reasons: ## Its impact is vague From...
Hey all, Something I used to see, is when you find for example an IDOR and an attacker could leak PII, financial data, etc, you can't select the proper priority/impact...
Currently, it appears that leaked PII is being categorized as Sensitive Data Exposure > Disclosure of Secrets > For Publicly Accessible Asset. Would it make sense to have a Sensitive...
Vulnerability details: API secret for vendor do not have functionality to mask the api secret on screen. An attacker could easily capture this api secret through shoulder surfing attack. It...
I as see that Application wide CSRF is having fixed priority of P2. Then why does Application-wide CORS is not having to fix the priority of P2? Triage team is...
Submission Reference: 0eee5d2516e4b5921f3f77ce006660c4fb992fb5d0a32abbc71ce771cd7784b1 Broken Authentication and Session Management → Weak Login Function → Over HTTP The team is looking into only plain text transfer of data in login only but...
Issue Background Vulnerable application allows a user to login using his Google account. However, the backend does not check whether the provided code parameter (token) is generated for vulnerable app...
With IE support being removed from Microsoft services in mid-august ([source](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666)) it seems time to decrease the priority of such findings. #### [CVSS v3 Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/cvss_v3/cvss_v3.json): #### [CWE Mapping](https://github.com/bugcrowd/vulnerability-rating-taxonomy/blob/master/mappings/cwe/cwe.json): #### [Remediation...
Hi all, I wanted to bring up a few issues myself and some other ASE's have been seeing with the current XSS VRT items. In particular, there is some confusion/inconsistencies...
It is easy to forget about the changelog. Let's automate this.
