A few days ago we pushed out a policy change with a few small touch ups and one major change: we radically revamped the table covering what bugs we accept. So what changed and why?
Previously the table looked like this:
|Medium|Stored Cross-Site Scripting|
|Low|Apache Status Page|
The previous vulnerability table was based on the history of our program and the common vulnerability names that had been reported to us, and a standardized set of severities that we typically ranked them at once we identified the impact. That worked for a long time, but some clever folks noticed a flaw in the contents of the table and it led to a number of arguments about the severity that we scored vulnerabilities at and therefore the bounties we awarded.
For example, `Vertical Privilege Escalation`, `Admin Login Page Accessible`, `Can guess admin password by Brute Force`, and `Account Takeover` could all refer to the exact same bug, and they might all be correct. This is a mixture of weakness, attack, and results. So by listing both `Vertical Privilege Escalation` and `Account Takeover` in our bounty table we are in a situation where the researcher can say “Its an ATO, pay me for a Critical bug” and we say “It’s just a brute force attack, that’s out of scope so no bounty” and that feels bad for everyone involved.
Now, the table looks like this:
|Severity (low)|Severity (high)|CWE-ID|Common Weakness Enumeration|Bug Examples|
|Critical|Critical|[CWE-78](http://cwe.mitre.org/data/definitions/78.html)|OS Command Injection|Remote Code Execution; Code Injection; LDAP Injection|
|Medium|High|[CWE-306](http://cwe.mitre.org/data/definitions/306.html)|Missing Authentication for Critical Function|Exposed Administrative Interface|
|Low|Medium|[CWE-79](http://cwe.mitre.org/data/definitions/79.html)|Cross-Site Scripting|Stored XSS; POST-Based XSS; GET-Based XSS; DOM-Based XSS; Flash-based XSS; CSS Injection|
What we’ve done here is moved entirely over to accepting CWEs as the primary method to classify a bug when we award a bounty. Along with this, we no longer will strictly say “Stored Cross-Site Scripting is a Medium Severity bug” but rather, “that falls under CWE-79 which ranges from Low to Medium”. Flash-based xss also falls in that category which is clearly a lower severity than stored xss, but that’s where we look to classify the severity of a bug based on the CVSS score that it is submitted & triaged with.
When we go to determine bounty awards we will look at (in this order):
1. the CWE *(what is the payout range for the CWE reported)*
2. the impact *(does our understanding of the impact now that the bug is fixed match the CVSS the bug came in with? If not what severity do we rank it at now?)*
3. the standardized bounty for the common bug name *(we have a standardized amount we pay for each of the listed bug types, but that will only be used when there is zero room to dispute the bug type)*.
On the whole, this looks complicated but it should have very little impact on how you file reports with us. The purpose is to give a little more rigor to the classification of each report so that when it comes time to define impact and select an award, we are all already on the same page and don’t shock anyone with our decisions.