search

bugcrowd / vulnerability-rating-taxonomy

Bugcrowd’s baseline priority ratings for common security vulnerabilities
https://bugcrowd.com/vrt
Apache License 2.0
430 stars 79 forks source link

Update VRT language to remove ambiguity between subcategories #404

Open danzajork opened 7 months ago

danzajork commented 7 months ago

Background

The forward slash (/) has historically indicated "or" when selecting a VRT category.

For example, the VRT Server Security Misconfiguration > Username/Email Enumeration > Brute Force can be read as a security misconfiguration allowing an attacker to brute force usernames or email addresses. This has been the case for most VRT language to date and is the correct way to interpret it.

Issue

With the introduction of the new IDOR variants, the forward slash seems to imply "and" instead of "or".

Examples: Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Edit/Delete Sensitive Information/Iterable Object Identifiers Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read Sensitive Information/Iterable Object Identifiers

In the above examples, the forward slash used in the IDOR variants implies "and". If it did imply "or" there would be no need for Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read Sensitive Information/Iterable Object Identifiers since reading of sensitive information would be covered under Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers.

The Merriam-Webster Dictionary defines a slash as

a mark / used typically to denote "or" (as in and/or), "and or" (as in straggler/deserter), or "per" (as in feet/second)

https://www.merriam-webster.com/dictionary/slash

My suggestion is to standardize the VRT usage of the forward slash to mean "or". This should also be documented in a VRT style guide for those looking to contribute to the project or for those looking to understand the language used within the VRT.

Alternatively, the VRT could be updated to not use a slash when a phrase would be clearer. For example:

Server Security Misconfiguration > Username or Email Enumeration > Brute Force

not

Server Security Misconfiguration > Username/Email Enumeration > Brute Force

Additional example:

Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read, Edit, and Delete Sensitive Information via Iterable Object Identifiers

not

Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers

TimmyBugcrowd commented 6 months ago

Thank you for this suggestion. We will definitely address this with the next realease!