Quite frequency on the Bugcrowd Discord server you can find n00bs asking if something should be ‘reported’ or not.
Did they just discover their first real finding? Are they now 1337?
Let’s discuss that.
Bugcrowd has published the Vulnerability Rating Taxonomy. You should be intimately familiar with this page. It’s a resource outlining Bugcrowd’s baseline priority rating, including certain edge cases, for common vulnerabilities. The triage team you engage with when reporting your vulns use this as one of the inputs when evaluating your findings.
But its more than that. Its your guide into what sort of vulns you might want to consider looking for, and understanding its criticality and severity within scope of your work.
In other words, the VRT helps you to understand where you might want to focus your time, based on your experience and interest.
Even early in your hunter’s journey you want to get those ‘wins’. But you can only report so many P5 “Weak Password Policy” reports before you get bored, or worse yet disappointed, when its not paying out well for you.
Remove the burden on yourself and use the VRT to avoid that conflict. The VRT also helps you to understand:
- What sort of vuln pays the most. The higher the severity, typically the better the payout. You can see this in the “Technical severity” column.
- What sort of vulns to look for. You can see this in the “Specific vulnerability name” column.
- What area should you focus your hunting on. You can determine that by deciding which vuln(s) you like and then look in the “Variant / Affected function” column.
Here’s a tip. If you are really new and not sure where to start, consider sorting by the Technical Severity column and look at the P3 and P4 items. Copy the content in the “Specific vulnerability name” or “Variant / Affected function” columns and Google dork it against the Web Security Academy and search for it.
"Open redirect" site:portswigger.net inurl:web-security
(Drop the inurl if you want additional documentation and writeups not directly in the academy… like their great blog writeups)
There is a really good chance that you will find a tutorial or writeup to explain the class of vulnerability you are interested in and offer you some labs to try to learn and exploit yourself.
Why start at P3? In most bounty programs, its around here where the time/money ratio starts to balance out. Many programs don’t even wanna look at P5 (and sometimes P4) vulns.
That doesn’t mean that lower priority vulns aren’t important. But chances are, hunters before you have already reported those, which means you will hit a lot of dupes, which doesn’t help your confidence level as you start out. When you stumble upon them, report them. But don’t spend a lot of time on them to get started. Easy vulns doesn’t mean they are easy to find in an existing public program.
Oh ya… and don’t forget that some of the coolest findings reported use exploit chains using several lower priority vulns to escalate to something more meaningful, and valuable. So as you find these P3/P4 items start thinking about how you could chain them together to move it up to a P2. Or maybe even a P1… FTW .
HTH. Go read the VRT (again).
Good luck. Happy hunting!!