Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

VRT entry for source code disclosure?

See original GitHub issue

Hello,

I’d like to propose a new entry to the VRT regarding source code disclosure. I’m thinking, for example, of scenarios where /.git folders are left accessible on the server, allowing an attacker to download the entire source code.

These 2 VRT entries are similar/related: P1 > Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure P1 > Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

In many cases, disclosure of the full source code will lead to at least one of the above disclosures, but not necessarily. Even if there are no passwords or private API keys in the source code, the impact is still quite high.

I’d therefore propose something like: P1 > Sensitive Data Exposure > Critically Sensitive Data > Source Code

My only concern is that this wording might lead researchers to think, that companies’ public Github repositories, for example, are in scope - not the intention. Open for discussion!

Issue Analytics

State:
Created 6 years ago
Reactions:3
Comments:25 (13 by maintainers)

Top GitHub Comments

2reactions

truemongocommented, Feb 2, 2018

Hi @CarlosSimas28, I was personally hesitant to mark it as a “straight” P1, too. However, I think it can be argued that many other entries that are currently marked with a specific priority are also, if you think about it, “Varies”. Case in point:

P1 > Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

An API key disclosure by itself will also always vary in impact, depending on what service the API key is for, what level of access it has, etc. I would argue that compared to an API key disclosure, a source code disclosure will have more impact to a company. API keys can be rotated, but a loss of intellectual property in the form of source code is not reversible. In any case, I think this situation is common enough that there should be a VRT entry, and if we cannot come to agreement on priority, then having it as “Varies” is better than no entry. 😃

1reaction

plr0mancommented, Mar 2, 2018

Yes Sensitive Data Exposure has been the entry of choice for this type of issues, Sensitive Data Exposure > Critically Sensitive Data would work too. We don’t see any significant benefit of adding a designated varies entry at the moment

Top Results From Across the Web

Bugcrowd's Vulnerability Rating Taxonomy

Technical severity ▽ VRT category Specific vulnerability name P1 Server Security Misconfiguration Using Default Credentials P1 Server‑Side Injection File Inclusion P1 Server‑Side Injection Remote Code Execution...

bug-bounty-vrt-1.6.pdf - Porkbun

To submit suggested changes, edits, or additions to the VRT, use our open source taxonomy found at github.com/bugcrowd/vulnerability-rating- ...

Source code disclosure - PortSwigger

Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as...

Paranoids' Vulnerability Research: PrinterLogic Issues ...

In Summer 2021, the Paranoids' Vulnerability Research Team (VRT) ... Stack server code, which allowed us to begin performing source auditing ...

Tax and Duty Manual VRT Section 1 - Revenue

These registrations are ROS- based and ensure a system of rapid registration with the minimum of manual input errors. In 2010, Applus+ Car...