A few days ago we pushed out a policy change with a few small touch ups and one major change: we radically revamped the table covering what bugs we accept. So what changed and why?
Previously the table looked like this:
|Medium||Stored Cross-Site Scripting|
|Low||Apache Status Page|
The previous vulnerability table was based on the history of our program and the common vulnerability names that had been reported to us, and a standardized set of severities that we typically ranked them at once we identified the impact. That worked for a long time, but some clever folks noticed a flaw in the contents of the table and it led to a number of arguments about the severity that we scored vulnerabilities at and therefore the bounties we awarded.
Vertical Privilege Escalation,
Admin Login Page Accessible,
Can guess admin password by Brute Force, and
Account Takeover could all refer to the exact same bug, and they might all be correct. This is a mixture of weakness, attack, and results. So by listing both
Vertical Privilege Escalation and
Account Takeover in our bounty table we are in a situation where the researcher can say “Its an ATO, pay me for a Critical bug” and we say “It’s just a brute force attack, that’s out of scope so no bounty” and that feels bad for everyone involved.
Now, the table looks like this:
|Severity (low)||Severity (high)||CWE-ID||Common Weakness Enumeration||Bug Examples|
|Critical||Critical||CWE-78||OS Command Injection||Remote Code Execution; Code Injection; LDAP Injection|
|Medium||High||CWE-306||Missing Authentication for Critical Function||Exposed Administrative Interface|
|Low||Medium||CWE-79||Cross-Site Scripting||Stored XSS; POST-Based XSS; GET-Based XSS; DOM-Based XSS; Flash-based XSS; CSS Injection|
What we’ve done here is moved entirely over to accepting CWEs as the primary method to classify a bug when we award a bounty. Along with this, we no longer will strictly say “Stored Cross-Site Scripting is a Medium Severity bug” but rather, “that falls under CWE-79 which ranges from Low to Medium”. Flash-based xss also falls in that category which is clearly a lower severity than stored xss, but that’s where we look to classify the severity of a bug based on the CVSS score that it is submitted & triaged with.
When we go to determine bounty awards we will look at (in this order):
On the whole, this looks complicated but it should have very little impact on how you file reports with us. The purpose is to give a little more rigor to the classification of each report so that when it comes time to define impact and select an award, we are all already on the same page and don’t shock anyone with our decisions.