Managing CVSS Scores

The Common Vulnerability Scoring System (CVSS) provides a way for you to rate the severity of the vulnerabilities discovered in your application. It calculates a score using base metrics to help you determine the priority level for a reported vulnerability. Bugcrowd includes a CVSS V3.1 Calculator that you can use to generate a score using base metrics, which represent the most intrinsic characteristics of a vulnerability.

Base metrics measure the impact and exploitability of a vulnerability, which include the attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI), scope (S), confidentiality impact (C), integrity impact (I), and availability impact (A).

To learn more about the base metrics, please see Common Vulnerability Scoring System Version 3.1 Calculator.

Enabling the CVSS Calculator

To enable the CVSS calculator:

  1. Select the required program and go to Settings.

    settings

  2. Click the Submissions tab.

    submissions-tab

    The Fields and settings page is displayed.

  3. On the Fields and settings page scroll down to the CVSS v3.1 section.

    In the CVSS v3.1 section, move the slider to right for the Common Vulnerability Scoring System v3.1 Calculator option.

    cvss-enable-slider

    The “Enabled CVSS Calculation” message is displayed.

Mapping CVSS to Bugcrowd’s Technical Severity

To map CVSS to submission’s technical severity:

  1. In the CVSS v3.1 section, move the slider for the Map CVSS to Bugcrowd’s technical severity option.

    cvss-severity-slider

    The “Enabled CVSS severity mapping” message is displayed.

    You can set the CVSS ranges that will pre-fill the submission technical severity using integers or decimals between 0 and 10. If you do not customize the CVSS ranges, Bugcrowd’s default CVSS range values will be utilized for submission technical severity.

    After you enable the calculator and map technical severity, you can go to any submission to add a CVSS score and update the severity.

Adding a CVSS Score and Severity

CVSS scores can be added to any submission using the calculator.

Note: The CVSS score is not visible to researchers.

To add a CVSS score to a submission:

  1. Within a submission, go to CVSS Base v3.1 section and click the Edit icon.

    cvss-edit

  2. When the calculator appears, specify the values for each metric. Use the scroll bar to scroll down and specify different metrics. To learn more about the metrics, please see Common Vulnerability Scoring System Version 3.1 Calculator.

    cvss-base

  3. Scroll down to Bugcrowd’s VRT section. You can view the pre-filled severity and update it from the Technical severity drop-down.

    severity

  4. Click Save to save your changes.

    After you save your changes, the CVSS score is added to the submission along with the values you have assigned for each metric. The submission’s severity will be updated based on the severity you have selected.

Quickstart Expand to see sub-pages
Onboarding Expand to see sub-pages
Organization Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Target Management Expand to see sub-pages
Single-Sign-On Expand to see sub-pages
Security Expand to see sub-pages
Roles and Permissions Expand to see sub-pages
Submission Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Reporting Organization Expand to see sub-pages
Reporting Security Program Expand to see sub-pages
Incident management Expand to see sub-pages
Visit bugcrowd.com