-
Notifications
You must be signed in to change notification settings - Fork 88
VRT Council minutes
Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @adamrdavid, @barnett, @jquinard, @csimas1, @shpendk
Attendees (other than the above): @roberttreder, @chrashley-, @dshiv, @TheGarth, @SwayzeSlacks85,
Agenda items:
-
[WIP] Add mapping to Secure Code Warrior trial #264
- Someone needs to verify the mapping code and try to have it done by next week but could be a shared responsibility. Possibly too early to go over and review this information. No timeline yet for the launch. Since it is a mapping it could be launched as a patch.
-
Improving the credentials disclosure VRT entries
- Credentials disclosure VRT entries are the most downgraded. Purposing a new category adjustment with updated ratings.
Host: @plr0man
Review duty: @TheGarth
Active participants (other than the above):
@Dshiv, @jquinard, @SwayzeSlacks85
Attendees (other than the above):
@adamrdavid, @chrashley-, @roberttreder, @barnett, @csimas1
Agenda items:
-
#263 - Universal (UXSS) - Should have Higher Severity No changes needed here. This entry is not for XSS in browsers/extensions but in webapps that might use these if the user installed them
-
#262 - Clarification related to "No Spoofing Protection on Email Domain" Will clarify with the researcher. The best way to check if a domain is in fact used for emails is to receive a valid email and if not ask the customer.
Host: @plr0man
Review duty: @m-q-t
Active participants (other than the above): @adamrdavid, @barnett, @jquinard, @dshiv
Attendees (other than the above): @roberttreder, @m-q-t, @pizza-enthusiast, @khemmingsen, @TheGarth, @SwayzeSlacks85, @VinceMHernandez, @dapperRobotBear
Agenda items:
-
Why Was issue #150 merged into the VRT? #256
- A decision was made about this issue during last council meeting. It was decided that there is no need to revise it.
-
Pruning or consolidation of the VRT
- Still being discussed.
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @adamrdavid, @barnett, @m-q-t
Attendees (other than the above): @roberttreder, @jquinard, @pizza-enthusiast, @khemmingsen, @TheGarth, @SwayzeSlacks85, @VinceMHernandez
Agenda items:
-
No memory corruption bugs? #258 (Should we introduce priority ranges?) Most agreed that the end result of these bugs already had VRT entries.
-
Stricter mapping requirement or keeping the default
- No action needed. We agree that current checks are sufficient, but recognize that we might want to make them stricter if there's need in the future.
- Process changes coming down the pipeline that affect (and make more critical) the use of the VRT
- No discussion happened here.
- Pruning or consolidation of the VRT
- No discussion happened here.
Additional Notes:
There was discussion around the idea of creating Priority Mappings. This would require a decent update to the VRT. Talks around not having a default set for these as well. There was a agreement that the idea was good.
Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @Dshiv, @jquinard, @adamrdavid, @barnett, @TheGarth, @m-q-t
Attendees (other than the above): @roberttreder, @pizza-enthusiast, @khemmingsen
Agenda items:
-
Failure to Invalidate Session > On 2FA Activation/Change #257
Researchers are referencing other reports about this issue and P5 seems to be the recommended rating. The result is adding it as P5 -
Why Was issue #150 merged into the VRT? #256
Previous discussions stated that an app could have this disabled on specific sensitive areas. We will take votes on how to proceed with this issue. -
When are we cutting a new release of the VRT?
Steps to produce a new VRT version can take place next week.
Host: @plr0man
Review duty: @plr0man
Active participants (other than the above): @dapperRobotBear, @adamrdavid, @barnett, @theGmoney, @m-q-t, @OppenheimersToy
Attendees (other than the above): @TheGarth, @roberttreder, @jquinard, @chrashley-, @pizza-enthusiast
Agenda items:
-
Adding a category for disclosed/leaked usernames and passwords #254
Current VRT entries suffice for the time being. There are some changes in the platform that are under development and will allow the researchers to suggest a rating for "Varies" entries. Once that's being deployed we should look into changing some VRT entries into "Varies" to better reflect the average ratings -
Review of statistical data on how VRT ratings are adjusted in the reports
Host: @plr0man
Review duty: @Dshiv,
Active participants (other than the above):
@SwayzeSlacks85, @adamrdavid, @VinceMHernandez,
Attendees (other than the above): @TheGarth, @khemmingsen, @roberttreder, @m-q-t
Agenda items:
-
#248 - New VRT Entry Add a new entry to VRT for Sensitive Data Exposure. This was discussed. Over all the issue here was the person not fully understanding the Bugcrowd Submission UI.
-
#249 - Insecure Deserialization The only example show here is already covered by the VRT. The team decided that we would request an example that is not already covered.
-
Internal Discussion regarding 'stay logged in' We decided that this should be treated just like lack of session invalidation on password change reports.
Host: @plr0man
Review duty: @TheGarth,
Active participants (other than the above): @Dshiv, @theGmoney, @roberttreder
Attendees (other than the above): @adamrdavid, @chrashley, @jquinard, @m-q-t, @VinceMHernandez, @pizza-enthusiast
Agenda items:
- #246 - Add a new VRT entry for: Failure to Invalidate Session -> Cookie Replay Attack: We agree that this is a N/A type of issue and the suggested protections are questionable.
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above):
Attendees (other than the above): @TheGarth, @VinceMHernandez, @m-q-t, @Tcune, @adamrdavid, @SwayzeSlacks85, @Dshiv, @barnett
Agenda items:
-
#243 - Cache Poisoning
Needs remediation advice. -
#241 - Race condition
Remediation advise needs polishing.
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @chrashley
Attendees (other than the above): @adamrdavid, @TheGarth, @m-q-t, @Tcune, @trimkadriu, @VinceMHernandez
Agenda items:
-
Add Automotive Security Misconfiguration mappings #237 PR has been created.
-
Adding Race Condition #241 Missing remediation advice. We decided that it is our (BC/SecOps) responsibility to provide remediation advice if there's none suggested by the community
Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @shpendk, @SwayzeSlacks85, @Dshiv, @jquinard, @barnett, @chrashley
Attendees (other than the above): @adamrdavid, @TheGarth, @m-q-t, @Tcune, @VinceMHernandez
Agenda items:
-
#238 - Impact problems Extensively discussed. Widely agreed that chaining vulnerabilities needs to be addressed, many want to wait until support for this is baked into the platform itself, which is something being worked on. Several options were discussed to address perceived inconsistency between different victim interaction account takeover entries, including downgrading priority of some entries, upgrading priority of common chaining vulnerabilities, etc. More discussion and community feedback will be sought before any changes are made.
-
#237 - Automotive VRT CVSS mapping has been provided, will be reviewed and added to the VRT.
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @adamrdavid, @roberttreder, @Tcune, @theGmoney
Attendees (other than the above): @TheGarth, @trimkadriu, @VinceMHernandez, @m-q-t
Agenda items:
-
#237 - Automotive VRT
Waiting for CVSS mapping. -
#231 - Race condition
Proposed “varies” class. Still being discussed. -
#235 - Cache poisoning
Proposed “varies” class. Still being discussed. -
#239 - Indicators of compromise
Missing CWE mapping and remediation mapping. -
#238 - Impact problems
Reflected XSS to account takeover is still a P3. Need more discussion on how to handle chaining with P4/P5 issues which would technically lead to account takeover.
Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @jquinard
Attendees (other than the above): @rwilliamson2011, @chrashley-, @Tcune, @Dshiv, @TheGarth, @theGmoney, @shpendk, @khemmingsen, @trimkadriu
Agenda items:
-
#235- Adding DNS Cache Poisoning to VRT
Seems like a good addition once we the rating is ironed out. Perhaps a “varies” here until we gather enough data regarding exploit types. -
#231- Race Condition entry
Good entry to have and need to confirm the category and varies seems to be the route to take. -
VRT 1.7
Work in progress should be available soon.
Host: @plr0man
Review duty: @TheGarth,
Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @barnett, @jquinard
Attendees (other than the above): @adamrdavid, @chrashley-, @Tcune, @VinceMHernandez
Agenda items:
- P3: XSS -> Unstored (form based CSRF) #229 - The consensus is that this is a POST-based reflected XSS by our current definitions.
- Two separate entries for password change and reset #230 - This was an intentional change at an earlier point of the VRT. We will review & share the original reasoning for the decision.
- Race Condition #231 - No consensus so far on if we need a new entry. Currently it seems like "varies" would be the most favored option.
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @adamrdavid, @jquinard, @barnett, @chrashley-
Attendees (other than the above): @TheGarth, @trimkadriu, @VinceMHernandez, @SwayzeSlacks85, Kevin Hemmingsen
Agenda items:
- Indicators of Compromise #224
Add to the VRT an indication that something has been compromised. Discussion around the reasoning we should have is. When new VRT entry has a base line priority we see some increase. Varies might cause it to be lower.
----
Choice: Add it so we may observer researcher interactions around it.
Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @barnett
Attendees (other than the above): @Tcune, @jquinard, @SwayzeSlacks85, @TheGarth, @adamrdavid, @khemmingsenm, @chrashley-
Agenda items:
-
#202 - Adding Automotive VRT Categories for Vehicle-based bugs
Categories are being added to VRT and @shipcod3 will address mappings. -
Scheduling of v1.7 release updates
PR will be reviewed today by @VinceMHernandez with hopes of getting a release next week.
Host: @plr0man
Review duty: @TheGarth
Active participants (other than the above): @adamrdavid, @theGmoney, @jquinard, @barnett
Attendees (other than the above): @trimkadriu, @Dshiv, @SwayzeSlacks85, @khemmingsen
Agenda items:
-
#217 - The team considers this to be P5 as the issue is with the email provider. We might want to add a P5 entry here.
-
#218 - Further Review Needed
-
#213 - Notes from @barnett
-
Enabling outside contributions on remediation advice - Request from @caseyjohnellis that @barnett was looking to get feedback on
-
Scheduling of v1.7 release - Time to wrap up all PRs/Issues. We'll try to get it done by next council meeting
Host: @plr0man
Review duty: @Tcune
Active participants (other than the above): @jquinard, @Dshiv, Attendees (other than the above): @TheGarth, @trimkadriu, @EdisK, @VinceMHernandez, @SwayzeSlacks85, @roberttreder, @theGmoney
Agenda items:
#212 - Revise Application-level DoS baseline severity rating Most disagreed on adding a varies entry for this. Decided to poll our options.
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @roberttreder, @Tcune, @SwayzeSlacks85
Attendees (other than the above): @FatihEgbatan, @TheGarth, @trimkadriu, @semprix, @adamrdavid, @VinceMHernandez, @CarlosSimas28, @shpendk
Agenda items:
-
#203 - 2FA Secret recovery and refresh
Decided on syntax for proposed category. Will be scheduled to be added to VRT. -
#209 - Session Deletion Upon Account Removal
Consensus for priority is ‘varies’. It was then decided that the entry would not be needed since generic BAC would suffice. -
#210 - Add DOM based XSS as P2
This would essentially be a subclass of reflected XSS. Not enough support to be added as its own subclass.
Host: @plr0man
Review duty: @chrashley-
Active participants (other than the above): @Dshiv, @jquinard, @shpendk, @barnett
Attendees (other than the above): @FatihEgbatan, @TheGarth, @trimkadriu, @VinceMHernandez, @shipcod3, @semprix, @simasc
Agenda items:
Adding Automotive VRT Categories for Vehicle-based bugs #202 Needs more feedback
2FA Secret recovery and refresh #203 There is a proposed classification that needs to be polished
Session Deletion Upon Account Removal #209 Needs discussion
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @Dshiv, @shipcod3, @SwayzeSlacks85
Attendees (other than the above): @FatihEgbatan, @roberttreder, @TheGarth, @trimkadriu, @semprix, @adamrdavid, @VinceMHernandez
Agenda items:
-
Adding Automotive VRT Categories for Vehicle-based bugs #202
This is still in progress and waiting on more feedback. -
2FA Secret recovery and refresh #203
Agreed on P4. VRT syntax in discussion. -
VRT is incorrectly perceived as Web only.
How do we remedy this?
Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @Dshiv, @adamrdavid, @jquinard
Attendees (other than the above): @chrashley-, @shpendk, @OppenheimersToy, @FatihEgbatan, @shipcod3, @jquinard, @roberttreder, @TheGarth, @SwayzeSlacks85, @trimkadriu
Agenda items:
- Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199
Discussion of where this should slot into the VRT - Adding Automotive VRT Categories for Vehicle-based bugs #202
Looking for more feedback - 2FA Secret recovery and refresh #203
Discussion of whether this should be a P4 or P5 - Revise username enumeration entry names #207
Will comment in Github
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @CarlosSimas28, @jquinard, @shpendk, @shipcod3, @SwayzeSlacks85
Attendees (other than the above): @adamrdavid, @chrashley-, @semprix, @EdisK, @FatihEgbatan, @TheGarth, @SwayzeSlacks85,(Kevin hemmingsen), @roberttreder, @Tcune, @VinceMHernandez
Agenda items:
- Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199 We agree on the proposed entry P2: Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning
- Adding Automotive VRT Categories for Vehicle-based bugs #202
No further questions regarding this happened. - 2FA Secret recovery and refresh #203
Sounds like a discussion on the purpose of P5 - Informational and how it's been working out since it was introduced. Still waiting for more opinions in the issue - Email spoofing on non-email domain #204
We agree on the proposed entry:
P5 - Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofing on non-email domain
Further discussion on this item is needed. - Casey's question regarding an angry researcher Tweet
A look into the meanings of many enumeration VRT category items needs to happen.
Host: @plr0man
Review duty: @Tcune
Active participants (other than the above): @shpendk, @adamrdavid, @shipcod3, @Dshiv, @jquinard
Attendees (other than the above): @roberttreder, @EdisK, @TheGarth, @SwayzeSlacks85, @trimkadriu, @VinceMHernandez, @chrashley, @CarlosSimas28, @FatihEgbatan, @semprix, @theGmoney,
Agenda items:
1.Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199
Discussed how impactful this would be and how often this is seen. The team would like a vrt entry added
2.Add Missing Pragma HTTP Header #200.
Also discussed how often this is seen and whether a entry should be added. The team does not believe any changes are necessary.
3.Should we add an entry for missing spoofing protection on non email domain?
Take a poll and see if we still need a new entry.
4."Using Components with Known Vulnerabilities" Should be 'Varies' #201
Discuss improvements with the design team around being able to assign the VRT on any level and making it more clear that those are "Varies". The team agrees that there's no need for changes here as a working PoC should result in being able to assign the VRT entry corresponding to the end result vulnerability. Any CVE based reports are not applicable if there's no PoC.
5.Can we add some of the automotive automotive vulnerability classes from fca's schema/bug bash to the vrt.
Jay has some lists for VRT catagories.
Host: @plr0man
Review duty: @TheGarth
Active participants (other than the above): @SwayzeSlacks85, @adamrdavid, @EdisK, @trimkadriu
Attendees (other than the above): @chrashley-, @shipcod3, @jquinard, @roberttreder, @rwilliamson2011, @shpendk, @VinceMHernandez, @Dshiv
Agenda items:
- Add rate limiting to arbitrary account lockout #194 Discussion related to the potential baseline rating for the issue, as well as a satisfactory entry name. We decided to close the issue at this time.
- Add Flash-based Cross-Site Scripting (XSS) as P4 #120 Discussed new comments on the issue.
- Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195 Decided on an updated classification proposal.
Host: @plr0man
Review duty: @EdisK
Active participants (other than the above): @Dshiv, @adamrdavid, @shpendk, @trimkadriu
Attendees (other than the above): @CarlosSimas28, @Tcune, @EdisK, @FatihEgbatan, @roberttreder, @VinceMHernandez, @rwilliamson2011, @chrashley-, @SwayzeSlacks85
Agenda items:
- Add rate limiting to arbitrary account lockout #194
Most of us agreed on having it as a potential P4 Entry. Still to be discussed. - Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195
We discussed and agreed upon that we should be triaging such issues as P4 as it actually shows a misconfiguration in DMARC.
Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @Dshiv, @adamrdavid
Attendees (other than the above): @CarlosSimas28, @Tcune, @EdisK, @FatihEgbatan, @roberttreder, @VinceMHernandez, @rwilliamson2011, @chrashley-, @shpendk, @SwayzeSlacks85
Agenda items:
- Add rate limiting to arbitrary account lockout #194
We gave it another week to discuss on Github with the community to determine the final decision. - Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195
We discussed the findings of our research & tests, while an initial proposal for change is made. Still left to do more tests and lookup for any loopholes for that.
Host: @plr0man
Review duty: @Tcune
Active participants: @@adamrdavid, @barnett
Attendees: @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Abby Mulligan, @rwilliamson2011, @jquinard, @chrashley-, @TheGarth, @shipcod3, @SwayzeSlacks85, @OppenheimersToy, @Dshiv, @shpendk, @roberttreder, @theGmoney, @@trimkadriu
Agenda items:
- Add rate limiting to arbitrary account lockout #194. Looks like we are all in agreement. ASE on duty will leave a comment.
Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @ryancblack, @trimkadriu
Attendees (other than the above): @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Abby Mulligan, @rwilliamson2011, @jquinard, @chrashley-, @TheGarth, @shipcod3, @SwayzeSlacks85, @OppenheimersToy, @Dshiv
Agenda items:
- Add rate limiting to arbitrary account lockout #194 We agree that there is need for such entry. We will discuss on Github over the coming week with the community to determine the scope of the entry and whether a more descriptive name can be found.
Host: @plr0man
Review duty: @shipcod3
Active participants (other than the above): @theGmoney, @Dshiv, @adamrdavid, @roberttreder
Attendees (other than the above): @trimkadriu, @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Mark Druzin, Mike Perez, @jquinard, @chrashley-, @ryancblack, Kevin Hemmingsen, @rwilliamson2011, @TheGarth
Agenda items:
- @plr0man open PR for #187
- ASE on duty review #187
- ASE on duty share an opinion in #188
Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @jquinard, @chrashley-, @theGmoney, @Tcune, @ryancblack, @Dshiv
Attendees (other than the above): @trimkadriu, @CarlosSimas28, @FatihEgbatan, @shipcod3, @roberttreder, @VinceMHernandez, Mark Druzin, Mike Perez
Agenda items:
- Add Missing CAPTCHA #187
We agree that there is need for such entry. There might be need to update the subcategory name though as it says "bypass" and the entry would be for "missing".
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @theGmoney, @Dshiv, @ryancblack
Attendees (other than the above): @CarlosSimas28, @FatihEgbatan, @shipcod3, @roberttreder, @Tcune, @VinceMHernandez, @TheGarth, Abby Mulligan
Agenda items:
-
Subdomain Takeover #178
Unanimous consensus on proposed VRT class changes. -
Discuss ways to add context to VRT classes, geared towards researchers and clients.
Host: @plr0man
Review duty: @TheGarth
Active participants (other than the above): @theGmoney, @jhaddix, @ryancblack, @Dshiv
Attendees (other than the above): @adamrdavid, @chrashley-, @barnett, @CarlosSimas28, @FatihEgbatan, @shipcod3, @jquinard, @roberttreder, @rwilliamson2011, @OppenheimersToy, @SwayzeSlacks85, @shpendk, @trimkadriu, @Tcune, @VinceMHernandez, Kevin Hemmingsen, Mike Perez
Agenda items:
-
Add Insecure Binary category #178
A decision was made to close this issue. Nevertheless a good learning experience for the team. -
Add New Clickjacking Subcategory #179
We have a green light to implement option 1. -
Broken Authentication and Session Management - Weak Login Function Changes #180
Needs more input with all three options being proposed. This issue is related to #181 -
Sensitive service/login panel/file disclosure context-based entry classification and prioritization #181
We all seem to agree with the FTP oriented issues being most appropriately classified as Varies. The rest of the issue needs more feedback as there are drawbacks around using Varies.
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @theGmoney, @jhaddix
Attendees (other than the above): @adamrdavid, @chrashley-, @barnett, @FatihEgbatan, @jquinard, @OppenheimersToy, @SwayzeSlacks85, @shpendk, @trimkadriu, @Tcune, @VinceMHernandez
Agenda items:
-
XSS Admin -> everyone is rated too high #166
We’ve revisited this topic with the team based on the recent feedback and will share the decision in the issue -
Add Insecure Binary category #178
Looks like option 2 is the preferred one. Waiting on more feedback until the next VRT Council -
Add New Clickjacking Subcategory #179
Awaiting more feedback in the issue -
Broken Authentication and Session Management - Weak Login Function Changes #180
Initial conversation leaves the door open to choose between the two proposed solutions: option 1 from jhaddix and option 2 from plr0man
Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @roberttreder, @ryancblack
Attendees (other than the above): @FatihEgbatan, @CarlosSimas28, @trimkadriu, @TheGarth, @shipcod3, @SwayzeSlacks85, @Tcune, @chrashley-, Abby Mulligan, @EdisK, @Dshiv, @jhaddix, @jquinard, @OppenheimersToy, @rwilliamson2011, @shpendk
Agenda items:
-
XSS Admin -> everyone is rated too high #166
We have a green light to implement the originally proposed solution -
Add Insecure Binary category #178
General discussion and call for feedback
Host: @plr0man
Review duty: @shipcod3
Active participants (other than the above): @shpendk, @adamrdavid, @jquinard, @chrashley
Attendees (other than the above): @barnett, @FatihEgbatan, @CarlosSimas28, @trimkadriu, @theGmoney, @TheGarth, @SwayzeSlacks85, @roberttreder, @Tcune
Agenda items:
-
XSS Admin -> everyone is rated too high #166
Needs more discussion -
Add SSL Certificate Error #176
Agreed and waiting for a PR
Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @jquinard, @Tcune
Attendees (other than the above): @adamrdavid, @barnett, @FatihEgbatan, @CarlosSimas28, @trimkadriu, @theGmoney, @TheGarth, @shipcod3, @OppenheimersToy, @SwayzeSlacks85, @VinceMHernandez, @shpendk
Agenda items:
-
XSS Admin -> everyone is rated too high #166
We will research a solution this coming week. -
Add No-Rate-Limit SMS triggering #169
We have a green light to implement as proposed by the majority.
Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @theGmoney, @trimkadriu, @Tcune
Attendees (other than the above): @EdisK, @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @VinceMHernandez, @chrashley-, @shpendk, @barnett, @adamrdavid, @TheGarth, @roberttreder, @OppenheimersToy, Kevin Hemmingsen
Agenda items:
-
XSS Admin -> everyone is rated too high #166
Needs research on the best classification based on the XSS to privilege gain level and who “anyone” would be -
Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
We’ve chosen option 2. -
Add No-Rate-Limit SMS triggering #169
We agree about the proposed entry and P4 rating
Host: @plr0man
Review duty: @FatihEgbatan
Active participants (other than the above): @theGmoney, @SwayzeSlacks85, @trimkadriu, @shpendk, @roberttreder
Attendees (other than the above): @ryancblack, @adamrdavid, @chrashley-, @barnett, @CarlosSimas28, @FatihEgbatan, @TheGarth, @shipcod3, @jquinard, Kevin Hemmingsen, Marc Druzin, @rwilliamson2011, @Tcune, @VinceMHernandez
Agenda items:
-
Second Factor Authentication Bypass Proposal #94
Waiting on a green light from the team in the issue -
Add WAF Bypass > Direct Server Access #170
Needs research on applicable CWE mapping and if none found a merge -
XSS Admin -> everyone is rated too high #166
We are considering adjustments based on the XSS to privilege gain level -
Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
Needs more comments as there are multiple opinions -
Add Blind XSS? #168
Needs a response -
Add No-Rate-Limit SMS triggering #169
We'd like to add such an entry as P4
Host: @plr0man
Review duty: @chrashley-
Active participants (other than the above): @theGmoney, @shipcod3
Attendees (other than the above): @ryancblack, @adamrdavid, @barnett, @CarlosSimas28, @FatihEgbatan, @TheGarth, @jquinard, Kevin Hemmingsen, Marc Druzin, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @Tcune, @VinceMHernandez
Agenda items:
-
XSS Admin -> everyone is rated too high #166
Waiting on jcran’s response and/or any other feedback -
Simplify CWE mapping / Use nodes in the "Research" view #160
If no response we will update this PR with according to the existing review -
Second Factor Authentication Bypass Proposal #94
We have a consensus and will share it in the issue -
Suggestion to add new entry for WAF Bypass #159
If no further feedback we will implement the solution proposed in the most recent comment -
Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
Waiting on more feedback
Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @ryancblack, @jquinard, @CarlosSimas28, @trimkadriu
Attendees (other than the above): @barnett, @chrashley-, @adamrdavid, @FatihEgbatan, @shipcod3, @tcune, @VinceMHernandez
Agenda items:
- Admin -> everyone is rated too high #166
Awaiting more info
Host: @swayzeslacks85 Review duty: @trimkadriu Active participants (other than the above): @theGmoney, @barnett, @plr0man, Casey Ellis, @chrashley-, @ryancblack Attendees (other than the above): Abby Mulligan, Adam David, @CarlosSimas28, @EdisK, @FatihEgbatan, @shipcod3, @jquinard, Keith Hoodlet, Kevin Hemmingsen, @rwilliamson2011, @roberttreder, @shpendk, @tcune, @VinceMHernandez
Agenda items:
-
General discussion and call for feedback on the pending VRT issues
-
Further discussion over jcran's CWE feedback, greater dialogue needed here as CVSS is more widely used.
-
Discussion over upgrading a mobile to P4, decided to stay at P5. Need for greater discussion surrounding how we handle P5's currently and investigating more mobile entries to add to the VRT.
Host: @plr0man
Co-host: @trimkadriu
Review duty: @EdisK
Active participants (other than the above): @theGmoney, @shpendk, @Dshiv, @barnett, @FatihEgbatan, @shipcod3
Attendees (other than the above): Abby Mulligan, @adamrdavid. @TheGarth, @jquinard, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @Tcune, @VinceMHernandez
Agenda items:
-
The team is continuing to look into the potential of distinguishing not applicable type of issues from P5’s in the VRT
-
Add a new VRT entry for SSRF -> DNS Queries #157
We agree that there’s need for such an entry. The issue needs some comments before filing a PR -
Suggestion to add new entry for WAF Bypass #159
We agree that there’s need for such an entry, but it needs a more specific name and more input before we file a PR
Host: @plr0man
Co-host: @jquinard
Review duty: @CarlosSimas28
Active participants (other than the above): @theGmoney, @rwilliamson2011, @chrashley-, @Tcune, @SwayzeSlacks85, @roberttreder, @shpendk, @TheGarth
Attendees (other than the above): @EdisK, @trimkadriu, @shipcod3, @VinceMHernandez
Agenda items:
-
The team is looking into the potential of distinguishing not applicable type of issues from P5’s in the VRT
-
Discussion on VRT Entry: Failure to Invalidate Session on Password Change #154
The issue was discussed and a response will be given shortly
Host: @jquinard
Review duty: @Tcune
Active participants (other than the above): @SwayzeSlacks85, @ryancblack, @TheGarth, @plr0man, @theGmoney, @CarlosSimas28
Attendees (other than the above): @rwilliamson2011, @roberttreder, @trimkadriu, @Tcune, @chrashley-, @EdisK, @shipcod3, @shpendk
Agenda items:
-
Mobile Security Misconfiguration > Copy/Paste Sensitive Data to Global Clipboard #150 has been approved and is waiting PR.
-
Revise 'Session Fixation' class to be more clear #152 has been approved. Session Fixation will be split into two entries. Waiting on PR.
-
New VRT entry for session token transferred over unencrypted channel (for non-cookie headers) #153 has been approved pending no new dissenting opinions. Waiting on PR.
Host: @plr0man
Review duty: @chrashley-
Active participants (other than the above): @jquinard, @barnett, @ryancblack, @TheGarth, @trimkadriu
Attendees (other than the above): @FatihEgbatan, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @VinceMHernandez
Agenda items:
-
VRT 1.4 is pending release on May 7th. The version has been cut and we are working on v1.5 now.
-
Add Flash-Based variants #151 is waiting for a review and a merge.
-
Add entry for - Mobile Security Misconfiguration > Copy/Paste Sensitive Data to Global Clipboard #150 will receive two sensitive/non-sensitive variants. Were waiting for more feedback on specific names and location
-
Revise 'Session Fixation' class to be more clear #152 will receive two variants corresponding to the remote and local attack vectors. We're waiting for more feedback on the specific classification
-
Need a new VRT entry for session token transferred over unencrypted channel (for non-cookie headers) #153 will receive a variant. We're waiting for more feedback on the specific classification
Host: @plr0man
Review duty: @FatihEgbatan
Active participants (other than the above): @barnett, @theGmoney, @shpendk
Attendees (other than the above): @CarlosSimas28, @Dshiv, @EdisK, Garth Brubaker, @jquinard, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @trimkadriu, @Tcune, @VinceMHernandez, @chrashley-
Agenda items:
-
VRT 1.4 release is approaching and the team is buttoning up all of the pending tasks
-
Remove staging environment distinction from the VRT #139 Merging this PR as proposed after an extensive discussion. Updating Brief verbiage to clarify the purpose of the VRT baselines and improving customer education
Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @barnett
Attendees (other than the above): @ryancblack, @Dshiv, @EdisK, @FatihEgbatan, Garth Brubaker, @shipcod3, @paulfri, @rwilliamson2011, @roberttreder, @shpendk, @Tcune, @VinceMHernandez
Agenda items:
-
VRT 1.4 release is approaching and the team is buttoning up all of the pending PRs
-
Add VRT to Remediation mapping #116
This PR needs some last updates and is ready to merge
Host: @plr0man
Review duty: @CarlosSimas28
Active participants (other than the above): @Dshiv
Attendees (other than the above): @jquinard, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, @paulfri, @SwayzeSlacks85, @roberttreder, @Tcune, @VinceMHernandez
Agenda items:
-
Downgrade weak P4's #138 and Revise Weak Login Function subcategory #143
Waiting on engineering's assistance to fix CI tests -
Remove staging environment distinction from the VRT #139
Waiting for more feedback -
Other unmerged PRs and pending Issues
General discussion and scheduling action items for the team
Host: @plr0man
Review duty: Treder
Active participants (other than the above): @ryancblack, Grant Mccracken, @Dshiv, @barnett, @EdisK, @shpendk
Attendees (other than the above): @jquinard, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, @CarlosSimas28, @chrashley-, @paulfri, @SwayzeSlacks85
Announcements: Vulnerability Roundtable has been divided into two separate meetings: Vulnerability Roundtable and VRT Council. VRT Council will be focusing on VRT related issues and the minutes from this meeting will continue to be shared here
Agenda items:
-
Revise 'Weak Login Function' subcategory #135
Waiting for any last minute comments before filing a PR -
Remove 'Network Security Misconfiguration > Telnet Enabled > Credentials Required' #140
Green light to file a PR -
Downgrade off-domain "XSS" using data urls to P5 #141
Clarification needed
Host: @plr0man
Minutes by: @Dshiv
Active participants (other than the above): @jhaddix, @EdisK, @chrashley-, @shpendk, @andMYhacks
Attendees (other than the above): @jquinard, @VinceMHernandez, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, Vinicius Fernandes, Robert Treder, @raels, @CarlosSimas28, @shipcod3
Agenda items:
-
Add Flash-based Cross-Site Scripting (XSS) as P4 #120
It has been decided to include the proposed changes as part of the VRT 1.5 release -
Notable reports triaged this week
Host: @plr0man
Minutes by: @jquinard
Active participants (other than the above): @ryancblack, @jhaddix, @Dshiv, @caseyjohnellis,
@danielhtrauner, @EdisK, @shipcod3
Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @paragbaxi, @raels, @MacIT-SF, @trimkadriu, @SwayzeSlacks85, @shpendk, @elyrly, @VinceMHernandez
Agenda items:
-
General discussion and call for feedback on the pending VRT issues
-
Notable reports triaged this week
Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @ryancblack, @chrashley-, @Dshiv, @caseyjohnellis, @trimkadriu, @SwayzeSlacks85, @shpendk
Attendees (other than the above): @jquinard, @FatihEgbatan, @rwilliamson2011, @EdisK, @Tcune, @CarlosSimas28, Robert Treder, @paragbaxi, @danielhtrauner, @raels
Agenda items:
-
Add Flash-based Cross-Site Scripting (XSS) as P4 #120
The team is in agreement and waiting for feedback from the researchers -
Revise weak P4 entries #133
The team is in agreement and waiting for any remaining comments from the researchers -
Revise 'Weak Login Function' subcategory #135
The team is in agreement and waiting for feedback from the researchers -
Notable reports triaged this week
Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @jhaddix, @ryancblack, @andMYhacks, @EdisK, @Dshiv
Attendees (other than the above): @Trainorsploit, @samhoustonbc, @jquinard, @raels, @SwayzeSlacks85, @shpendk, @chrashley-, @VinceMHernandez, @barnett, @FatihEgbatan, @rwilliamson2011, @trimkadriu, @brenthaas
Agenda items:
-
VRT entry for source code disclosure? #126
Last call for action before we close this issue -
Privilege escalations & language #131
The documentation delivered over support is under review -
Revise 'Weak Login Function' subcategory #135
Discussed potential for distinguishing staging environment variants -
Notable reports triaged this week
Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @EdisK, @CarlosSimas28, @jquinard, @Dshiv, @brenthaas, @adamrdavid
Attendees (other than the above): @rwilliamson2011, @shipcod3, @SwayzeSlacks85, @raels, @VinceMHernandez, @Trainorsploit, @FatihEgbatan, @katherinel, @ryancblack, @shpendk, @cmanetta, @jeff-bugcrowd
Agenda items:
-
Discussing VRT entries that have potential to be downgraded to P5. We are reconsidering what is seen as noise/accepted risk, based on our experience with the majority of our customers and their expectations. At the same time we are offering the option to accept or customize P5s for others
-
Notable reports triaged this week
Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @EdisK, @jhaddix, @caseyjohnellis, @shpendk, @andMYhacks
Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @raels, @VinceMHernandez, @Trainorsploit, @jquinard, @Dshiv, Robert Treder, @raels, @FatihEgbatan
Agenda items:
-
Add VRT to Remediation mapping #116
Last updates pending and the project should be completed by the EOW -
Revise missing OAuth state parameter variant #124
Multiple opinions on how to approach this. Awaiting input from the team in the Issue -
VRT entry for source code disclosure? #126
Multiple opinions on how to approach this. Awaiting input from the team in the Issue -
Suggestions for P3 #127
Awaiting further review and input from the team in the Issue -
Notable reports triaged this week
-
JHaddix showing a chrome plugin called ReproNow that helps with reproduction
Host: @plr0man
Minutes by: @FatihEgbatan
Active participants (other than the above): @Dshiv, @jquinard, @danielhtrauner, @adamrdavid, @EdisK, @jhaddix, Robert Treder, @samhoustonbc
Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @raels, @Tcune, @VinceMHernandez, @shpendk, @DevinRiley, Chris Trainor
Agenda items:
-
Revise missing OAUTH state parameter variant #124
Both proposed options sound appealing. Awaiting further review and input in the issue before any decisions can be made. -
Notable reports triaged this week
Host: @plr0man
Minutes by: @plr0man
Active participants (other than the above): @Dshiv, @jquinard, @EdisK, @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @ryancblack
Attendees (other than the above): @FatihEgbatan, @raels, @Tcune, @VinceMHernandez, @brenthaas
Agenda items:
-
Add Stored XSS with user interaction #123
The entry classification has been chosen and is planned to be implemented -
Add Flash-based Cross-Site Scripting (XSS) as P4 #120
Closing due to lack of potential solution in the near future -
Notable reports triaged this week
Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @Dshiv, @andMYhacks, @jquinard, @EdisK, @chrashley-
Attendees (other than the above): @FatihEgbatan, @raels, @rwilliamson2011, @danielhtrauner, @CarlosSimas28, @shpendk, @shipcod3, @SwayzeSlacks85
Agenda items:
-
Add Stored XSS with user interaction #123
Positive response from the team. Awaiting further review and input in the issue regarding best classification -
Add VRT to Remediation mapping #116
Project is moving forward and needs volunteers for review/updates -
Notable reports triaged this week
Host: @plr0man
Minutes by: @dshiv
Active participants (other than the above): @shipcod3, @jquinard, @dshiv, @EdisK
Attendees (other than the above): @FatihEgbatan, @raels, @rwilliamson2011, @Tcune, Robert Treder
Agenda items:
-
Folder Permissions in Thick Clients #121
This class of reports will be closely evaluated and the VRT will be adjusted if necessary based on near future experience -
DLL Hijacking should be P2 or P3 #118
Discussion in progress can be viewed in the issue -
Notable reports triaged this week
Host: @plr0man
Minutes by: @plr0man
Active participants (other than the above): @SwayzeSlacks85, @jquinard, @rwilliamson2011
Attendees (other than the above): @shipcod3, @FatihEgbatan, @ryancblack, @danielhtrauner, @raels
Agenda items:
-
DLL Hijacking should be P2 or P3 #118
Discussion will continue next week due to the holiday season -
Add Flash-based Cross-Site Scripting (XSS) as P4 #120
It’s tempting to add an entry here, but it doesn’t seem to be the right solution for the problem. Currently this kind of additional prerequisites are considered by the ASE/customer during triage and the default severity can be downgraded based on context. More info in #72 -
Folder Permissions in Thick Clients #121
Discussion will continue next week due to the holiday season -
Chaining vulnerabilities might require additional researcher documentation
Host: @ryancblack
Minutes by: @jquinard
Active participants (other than the above): @shpendk, @ryancblack
Attendees (other than the above): @SwayzeSlacks85, @Tcune, @Dshiv, @shipcod3, @EdisK, @paragbaxi, @CarlosSimas28, @brenthaas, @rwilliamson2011, @FatihEgbatan, @samhoustonbc, Devin Riley, @danielhtrauner, Grant McCracken
Agenda items:
-
DLL Hijacking should be P2 or P3 #118
Possibly have 2 variants? One high (P2/P3) and one P5. Keeping conversation open. -
Notable reports triaged this week
Host: @plr0man
Minutes by: @CarlosSimas28
Active participants (other than the above): @EdisK, @jquinard, @shipcod3, @barnett
Attendees (other than the above): @SwayzeSlacks85, @shpendk, @Tcune, @Dshiv, @raels, @VinceMHernandez
Announcements: We are excited to announce that VRT to CWE mapping is complete now
Agenda items:
-
Update all VRT to CWE mappings #115
Successfully implemented CWE mapping -
Add VRT to Remediation mapping #116
A new internal PR that will be discussed as soon as we have the resources to approach the implementation -
Notable reports triaged this week
Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @ryancblack, @andMYhacks, @shpendk, @EdisK, @SwayzeSlacks85, @jquinard, @FatihEgbatan, @samhoustonbc
Attendees (other than the above):, @rwilliamson2011, @fiid, @Tcune, Patrick Mell, @raels, @adamrdavid, @brenthaas, @CarlosSimas28, @Dshiv
Announcements: We are looking for reviewers for the VRT to CWE mappings
Agenda items:
-
Adding 'Database Management System (DBMS) Misconfiguration' subcategory #110
We are waiting for any last minute comments by the EOD -
My concerns with this project as a whole. #111
General discussion on researcher concerns about the VRT -
Add VRT to CWE mapping #112
An important milestone in the mapping between both taxonomies. We are in process of updating the particular mappings, which will be posted as a PR ASAP. -
Notable reports triaged this week
Host: @plr0man
Minutes by: @CarlosS
Active participants (other than the above): @jquinard, @Tcune, @SwayzeSlacks85, @Dshiv, @ryancblack, @shpendk, @EdisK
Attendees (other than the above): @VinceMHernandez, @shipcod3, @rwilliamson2011, @raels, @fiid
Agenda items:
-
Update 'All Sessions' to 'Concurrent Sessions On Logout’ #109
There’s a little bit of confusion around what some of the current session invalidation entries stand for. We decided to update this particular variant with a more explicit name -
Add Source Code Disclosure #107
Question from a researcher regarding a potential new subcategory. Currently a low priority task, that will be discussed further internally -
Missing SPF on Email Domain #108
Question from a researcher regarding a case by case triage. No need for adjustments -
Notable reports triaged this week
Host: @plr0man
Minutes by: @EdisK
Active participants (other than the above): @shipcod3, @ryancblack
Attendees (other than the above): @jquinard, @SwayzeSlacks85, @VinceMHernandez, @raels, @tommedhurst, @CarlosSimas28, @paragbaxi, @brenthaas, @Dshiv, @rwilliamson2011
Agenda items:
- Notable reports triaged this week
Host: @plr0man
Minutes by: @chrashley-
Active participants (other than the above): @Dshiv, @jquinard, @shipcod3, @EdisK, @CarlosSimas28
Attendees (other than the above): @SwayzeSlacks85, @brenthaas, @raels, @FatihEgbatan, @paragbaxi, @rwilliamson2011, @ryancblack, @shpendk, @tommedhurst, @VinceMHernandez, @fiid, @Tcune
Announcements: We are looking for volunteers to help with the CWE mapping
Agenda items:
-
Should unauthenticated-only XSS be rated as P3?
Since this kind of vulnerability provides iframe injection potential, which is currently rated as P3 in the VRT, we will not be considering any updates at this time -
Should internal SSRF classification have more granularity to promote better PoCs?
Given the potential high security risk associated with this type of vulnerabilities, we will be leaving current classification as is, incentivising these findings regardless of the researcher’s ability to further exploit it
Host: @plr0man
Minutes by: @FatihEgbatan
Active participants (other than the above): @jquinard, @Dshiv, @jhaddix, @rwilliamson2011, @SwayzeSlacks85, @EdisK, @shipcod3
Attendees (other than the above): @adamrdavid, @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, @katherinel
Announcements: We are looking into potentially expanding the mobile entries in the VRT and any feedback in that regard.
Agenda items:
-
CWE Mapping #99
Background: Revisiting #33 for CWE now that CVSS (#86) is in.
Result: We will be implementing the CWE mapping based on JHaddix's team's mapping draft. CVSS and CWE as any other mappings are designed to be in separate files under the mappings folder. -
Append RTLO to File Extension Filter Bypass #98
Background: There’s a need to specify RTLO type of issues in the VRT to provide more transparency
Result: During the internal discussion it was initially agreed to append RTLO to the current variant File Extension Filter Bypass.
Host: @CarlosSimas28
Co-host: N/A
Minutes by: @shipcod3
Active participants (other than the above): @rwilliamson2011, @SwayzeSlacks85
Attendees (other than the above): @jquinard, @Dshiv, @jhaddix, @EdisK, @FatihEgbatan, @VinceMHernandez, @Tcune
Agenda Items:
- Append RTLO to File Extension Filter Bypass #98 Background: There’s a need to specify RTLO type of issues to the VRT for more transparency Result: During an internal discussion we agreed to append RTLO to the current variant File Extension Filter Bypass.
Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @CarlosSimas28, @SwayzeSlacks85, @shipcod3, @jhaddix, @chrashley-
Attendees (other than the above): @Dshiv, @FatihEgbatan, @shpendk, @raels
Announcements: This week the hacking guru and Head of Trust and Security at Bugcrowd, Jason Haddix is sharing his recent experiences with our platform and programs from a researcher perspective
Agenda items:
- Second Factor Authentication Bypass Proposal #94
Background: Previously reported issue and we currently have a "Weak 2FA Implementation" entry that is context based.
Context based seems appropriate and we will await any further feedback from other researchers.
Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @shpendk, @FatihEgbatan, @rwilliamson2011, @chrashley-, @VinceMHernandez
Attendees (other than the above): @jquinard, @SwayzeSlacks85, @raels, @tommedhurst, @Tcune, @CarlosSimas28
Announcements: The Vulnerability Roundtable will be held on Fridays as of today
Agenda items:
-
SQL Injection priorities #92
Background: A researcher is proposing adding a new Union-based SQL Injection entry.
We are considering removing both SQL Injection subcategories and leaving one SQL Injection P1 category. This has to be further discussed. -
Add "Token is Not Invalidated After Login" variant under "Weak Password Reset Implementation" #89
Background: Not an often reported issue which appears to be a P5
We agreed that adding this entry to the VRT will be beneficial for both the researchers and the ASEs.
Host: @plr0man
Minutes by: @Dshiv
Active participants (other than the above): @CarlosSimas28, @jquinard, @shpendk, @SwayzeSlacks85
Attendees (other than the above):, @EdisK, @shipcod3, @Timmehs, @VinceMHernandez, @FatihEgbatan, @Tcune, @ryancblack
Announcements: This week we are updating the readme to include the minutes and more information on how we use the VRT
Agenda items:
-
Add UXSS for browser plugins and browser #85
Background: A researcher would like to introduce a new VRT entry because he does not agree with the rating on his submission
As much as we agree that certain UXSS issues could be rated higher than the default P4, those are exceptions. Since the VRT gives us the flexibility of adjusting the default rating, we do not feel that there’s a need to add a new entry in this case. -
Add CVSS mapping #86
Background: Breaking ground for mapping the VRT to various classifications/taxonomies A lot of work has been done here and this PR is almost ready to merge. CVSS and CWE mappings have been separated from the main VRT file and are going to be implemented in a separate directory. We are looking for volunteers to review this PR. -
Added second factor bypass subcategory #87
Background: A researcher is proposing adding 2FA bypass as a P2 entry
We currently have an entry that is context based and seems to be appropriate given the varying security risk. -
Other discussion:
Should the Bugcrowd’s main VRT page be updated with more explanation on how we use the VRT?
Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @CarlosSimas28, @jhaddix, @EdisK
Attendees (other than the above): @adamrdavid, @shpendk, @danielhtrauner, @FatihEgbatan, @shipcod3, @jquinard, @maschwenk, @rwilliamson2011, @SwayzeSlacks85, @Timmehs, @VinceMHernandez
Announcements: Introducing VRT duty: one ASE per week on rotation will be responsible for the Vulnerability Roundtable minutes and ongoing PR reviews.
Agenda items:
-
Mapping to CWE and CVSS #33
The engineering team is getting ready to release the CVSS/CWE mappings. We’re looking for volunteers to review the upcoming updates. The updates should be done by the middle of the week by @plr0man, the review should be completed by the EOW. -
Add Bitsquatting classification to VRT #82
Background: We have seen numerous reports of Bitsquatting across our programs.
Priority Verdict: Unanimously P5 - Informational. It is a low risk hardware issue affecting computer memory and will not be considered as vulnerability in clients’ software. We will be verifying if the reported domain is not owned by the client and checking if it is a Bitsquatting domain to determine if the report qualifies as applicable.
Category Verdict: To be discussed in the Issue -
Broken Link Hijacking #84
Background: Good writeup. However we do not see the need to add/change any entries as it looks like current entries are sufficient to classify all potential scenarios. Important note is that the researchers have to provide evidence similar as in case of subdomain takeover.
Host: @plr0man
Co-host: @CarlosSimas28
Minutes by: @jquinard
Active participants (other than the above): @shipcod3, @rwilliamson2011, @SwayzeSlacks85, @ryancblack
Attendees (other than the above): @EdisK, @chrashley-, @FatihEgbatan, @shpendk, @VinceMHernandez, @Dshiv
Announcements: We are beginning to publish minutes from the VRT oriented part of the Vulnerability Roundtable
Agenda items:
-
Adding Missing DNS CAA Record Classification #78
Background: Numerous submissions being recently made across our programs
Verdict: Unanimously P5 - Informational due to the defense-in-depth nature of this security mechanism. -
Adding TapJacking classification to VRT #79
Background: A class of issues that was being looked into as a potential P4, similar to Clickjacking
Verdict: Unanimously P5 - Informational due to multiple prerequisites, mainly the need of being performed on an unpatched Android Marshmallow or earlier unsupported versions.