Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

VRT entry for source code disclosure?

See original GitHub issue


I’d like to propose a new entry to the VRT regarding source code disclosure. I’m thinking, for example, of scenarios where /.git folders are left accessible on the server, allowing an attacker to download the entire source code.

These 2 VRT entries are similar/related: P1 > Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure P1 > Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

In many cases, disclosure of the full source code will lead to at least one of the above disclosures, but not necessarily. Even if there are no passwords or private API keys in the source code, the impact is still quite high.

I’d therefore propose something like: P1 > Sensitive Data Exposure > Critically Sensitive Data > Source Code

My only concern is that this wording might lead researchers to think, that companies’ public Github repositories, for example, are in scope - not the intention. Open for discussion!

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:3
  • Comments:25 (13 by maintainers)

github_iconTop GitHub Comments

truemongocommented, Feb 2, 2018

Hi @CarlosSimas28, I was personally hesitant to mark it as a “straight” P1, too. However, I think it can be argued that many other entries that are currently marked with a specific priority are also, if you think about it, “Varies”. Case in point:

  • P1 > Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

An API key disclosure by itself will also always vary in impact, depending on what service the API key is for, what level of access it has, etc. I would argue that compared to an API key disclosure, a source code disclosure will have more impact to a company. API keys can be rotated, but a loss of intellectual property in the form of source code is not reversible. In any case, I think this situation is common enough that there should be a VRT entry, and if we cannot come to agreement on priority, then having it as “Varies” is better than no entry. 😃

plr0mancommented, Mar 2, 2018

Yes Sensitive Data Exposure has been the entry of choice for this type of issues, Sensitive Data Exposure > Critically Sensitive Data would work too. We don’t see any significant benefit of adding a designated varies entry at the moment

Read more comments on GitHub >

github_iconTop Results From Across the Web

Bugcrowd's Vulnerability Rating Taxonomy
Technical severity ▽ VRT category Specific vulnerability name P1 Server Security Misconfiguration Using Default Credentials P1 Server‑Side Injection File Inclusion P1 Server‑Side Injection Remote Code Execution...
Read more >
bug-bounty-vrt-1.6.pdf - Porkbun
To submit suggested changes, edits, or additions to the VRT, use our open source taxonomy found at ...
Read more >
Source code disclosure - PortSwigger
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as...
Read more >
Paranoids' Vulnerability Research: PrinterLogic Issues ...
In Summer 2021, the Paranoids' Vulnerability Research Team (VRT) ... Stack server code, which allowed us to begin performing source auditing ...
Read more >
Tax and Duty Manual VRT Section 1 - Revenue
These registrations are ROS- based and ensure a system of rapid registration with the minimum of manual input errors. In 2010, Applus+ Car...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found