search

bugcrowd / vulnerability-rating-taxonomy

Bugcrowd’s baseline priority ratings for common security vulnerabilities
https://bugcrowd.com/vrt
Apache License 2.0
446 stars 85 forks source link

Biases entries #416

Closed TimmyBugcrowd closed 4 months ago

TimmyBugcrowd commented 5 months ago

Added

Data Biases - Representation Bias - Varies Data Biases - Pre-existing Bias - Varies Algorithmic Biases - Processing Bias - Varies Algorithmic Biases - Aggregation Bias - Varies Societal Biases - Confirmation Bias - Varies Societal Biases - Systemic Bias - Varies Misinterpretation Biases - Context Ignorance - Varies Developer Biases - Implicit Bias - Varies

AN2424 commented 4 months ago

We need to look into why this failed: https://github.com/bugcrowd/vulnerability-rating-taxonomy/actions/runs/9651409212/job/26619199396?pr=416

abhinav-nain commented 4 months ago

We need to look into why this failed: https://github.com/bugcrowd/vulnerability-rating-taxonomy/actions/runs/9651409212/job/26619199396?pr=416

There was a mix-up in cvss_c3.json the biases entries was added under server-security-misconfiguration. I have added the fix and some indentation issues.

abhinav-nain commented 4 months ago

We are also missing entries for CWE for added biases, can we please check that. I have resolved all other issues.

AN2424 commented 4 months ago

@abhinav-nain here are the comments from Von AND @TimmyBugcrowd bout the CWEs: Von: so these are entirely new categories. No CWEs currently exist for such things yet. Is there a possibility we can put N/A / null for the CWE?

Timmy: Based on my research, Biases don't directly correspond to specific CWEs because CWEs are generally centered around software vulnerabilities rather than biases inherent in data or algorithms. However, the broader categories of weaknesses related to software that can be influenced by such biases include data handling, security features, and design choices. I can come up with some Hypothetical CWE entries that could conceptually relate to those biases. Otherwise, we need a way around to pass those checks.

From this information, @abhinav-nain can we put NA or Null for the CWEs?

abhinav-nain commented 4 months ago

@abhinav-nain here are the comments from Von AND @TimmyBugcrowd bout the CWEs: Von: so these are entirely new categories. No CWEs currently exist for such things yet. Is there a possibility we can put N/A / null for the CWE?

Timmy: Based on my research, Biases don't directly correspond to specific CWEs because CWEs are generally centered around software vulnerabilities rather than biases inherent in data or algorithms. However, the broader categories of weaknesses related to software that can be influenced by such biases include data handling, security features, and design choices. I can come up with some Hypothetical CWE entries that could conceptually relate to those biases. Otherwise, we need a way around to pass those checks.

From this information, @abhinav-nain can we put NA or Null for the CWEs?

Yes, we can modify the test to ignore these, so that we can at least move forward from this PR, and for now I dont see any technical implication of it as well so it should be all good.

abhinav-nain commented 4 months ago

@AN2424 @TimmyBugcrowd Pipeline issue is fixed.