Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sensitive service/login panel/file disclosure context-based entry classification and prioritization

See original GitHub issue

The VRT includes a number of intentionally-limited entries designated as varies due to both the technical and policy-based context necessary to prioritize. I believe we have an opportunity to clarify several similar issue categories to encourage thoughtful conversations about risk, design, and incentivization outcome. Related to yet distinct from HTTP risk/reports (see: #180) we have additional work to do here.

The categories include but are not limited to:

  • FTP / Sensitive Service usage
  • Potentially-sensitive resource exposure
    • Login panels
    • Diagnostic/status pages (Apache modules, phpinfo(), etc.)
    • Webserver root directory files

I propose we create appropriate high-level categories to classify these issues as varies for the following benefits:

  • Consistent classification across all bug bounty programs utilizing the VRT
  • Consistent outcome expectation setting, as pertains to priority, acceptance, and necessary risk discussion
  • Positive impact to the Bugcrowd platform kudos economy related to and dependent upon VRT, e.g. kudos-only program balance, open scope programs, platform-wide incentivization mechanics (leaderboard)

Issue #136 raised this concept for FTP alone and I believe that due to the above, combined with hard data observations, we should revisit this topic for the benefit of VRT in clarity but also the platform itself.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

truemongocommented, Jul 14, 2018

Strong +1 on this. I feel these issues (along with HTTP risk stuff) should all be varies, its not enough to just downgrade their baseline priority. Marking them varies would force a discussion about risk that seems really important in these cases, and does not currently happen. Further, the “risk” for these categories is often known apriori and accepted by the clients, in which case there should be no rewards (kudos or financial).

Most vulnerability types require some sort of proof of exploitability / impact, while right now these are basically providing a kudos “free for all”. This is even more noticeable on kudos-only programs, where the bar to acceptance is lower, and the customers have little incentive to argue about risk/exploitability/root cause/etc, given its easier to just accept reports as they come (no financial consequences).

My thought on theses matters, which I’ve expressed often before, in a variety of ways, but with the hope I was a bit more eloquent this time.

ryancblackcommented, Aug 3, 2018

Closing this issue as no action needed after RFC.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bugcrowd's Vulnerability Rating Taxonomy
Technical severity ▽ VRT category Specific vulnerability name P1 Server Security Misconfiguration Using Default Credentials P1 Server‑Side Injection File Inclusion P1 Server‑Side Injection Remote Code Execution...
Read more >
Suitability Executive Agent Position Designation Tool - OPM
Position Designation Automated Tool (PDT). Proper position designation is the foundation of an effective and consistent suitability and personnel security ...
Read more >
Prioritizing vulnerability response: A stakeholder-specific ...
Prioritization combines these decision points into example decision trees that can be used to prioritize action on a work item.
Read more >
Cybersecurity Risk Management for Investment Advisers ...
(i) Categorize and prioritize cybersecurity risks based on an ... Will the proposed cybersecurity disclosures in Item 20 of Form ADV Part 2A ......
Read more >
Prioritized Approach to Pursue PCI DSS Compliance
The Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found