dievus
commented
2 years ago I agree with this. There's a significant difference between a platform that is able to issue CVEs and something like HackerOne where vendors regularly play down severity because of silly reasons. And to be fair, I've had a couple played down on this platform where it's clear the maintainer may simply have no idea what a real-world severity value is, or they are downplaying severity, so it doesn't affect the project.
While trying to remain humble, I do this work professionally and issue CVSS scores regularly in penetration testing reports and elsewhere. The severity of something doesn't change because a vendor or maintainer disagrees, or the individual may not be a security professional at all, but rather a developer. And again, in the end, NIST will issue its own rating, which going through some of the CVEs on the platform, it's clear that the CVSS issued by a maintainer is grossly inaccurate. See as an example:
https://huntr.dev/bounties/5494e258-5c7b-44b4-b443-85cff7ae0ba4/ - developer downgraded significantly from 9.8 to 6.8, penalizing the researcher, and then NIST re-scores it 8.8, which is appropriate in my opinion. (This maintainer has a history of doing this to researchers).
In the end, this platform is uniquely positioned as both a bug bounty platform and a CNA, not the maintainer. As such, there should be some additional deference shown to the researcher in these cases.
Currently huntr provides no way for researchers to challenge a developer's severity assessment.
For both the benefit of researchers, and huntr, this option should be made available.
In its current state, there's nothing preventing developers from creating inaccurate severity ratings to downplay potential security reporting. This hurts both researcher payouts and reputation, and the overall accuracy and integrity of huntr's reporting.