Bugcrowd’s Vulnerability Rating Taxonomy

Bugcrowd’s Vulnerability Rating Taxonomy is a resource outlining Bugcrowd’s baseline priority rating, including certain edge cases, for common vulnerabilities. Have a suggestion to improve the VRT? Join the conversation on GitHub.

Download JSON VRT 1.10

Vulnerability Rating Taxonomy

Version 1.10 last updated on 29 Mar 2021 — View the current version 1.15
Technical severity ▼VRT category Specific vulnerability name Variant / Affected function Actions
P1Server Security MisconfigurationUsing Default Credentials
P1Server-Side InjectionFile InclusionLocal
P1Server-Side InjectionRemote Code Execution (RCE)
P1Server-Side InjectionSQL Injection
P1Server-Side InjectionXML External Entity Injection (XXE)
P1Broken Authentication and Session ManagementAuthentication Bypass
P1Sensitive Data ExposureDisclosure of SecretsFor Publicly Accessible Asset
P1Insecure OS/FirmwareCommand Injection
P1Insecure OS/FirmwareHardcoded PasswordPrivileged User
P1Broken CryptographyCryptographic FlawIncorrect Usage
P1Automotive Security MisconfigurationInfotainment, Radio Head UnitPII Leakage
P1Automotive Security MisconfigurationRF HubKey Fob Cloning
P2Server Security MisconfigurationMisconfigured DNSHigh Impact Subdomain Takeover
P2Server Security MisconfigurationOAuth MisconfigurationAccount Takeover
P2Sensitive Data ExposureWeak Password Reset ImplementationToken Leakage via Host Header Poisoning
P2Cross-Site Scripting (XSS)StoredNon-Privileged User to Anyone
P2Broken Access Control (BAC)Server-Side Request Forgery (SSRF)Internal High Impact
P2Cross-Site Request Forgery (CSRF)Application-Wide
P2Application-Level Denial-of-Service (DoS)Critical Impact and/or Easy Difficulty
P2Insecure OS/FirmwareHardcoded PasswordNon-Privileged User
P2Automotive Security MisconfigurationInfotainment, Radio Head UnitOTA Firmware Manipulation
P2Automotive Security MisconfigurationInfotainment, Radio Head UnitCode Execution (CAN Bus Pivot)
P2Automotive Security MisconfigurationRF HubCAN Injection / Interaction
P3Server Security MisconfigurationMisconfigured DNSBasic Subdomain Takeover
P3Server Security MisconfigurationMail Server MisconfigurationNo Spoofing Protection on Email Domain
P3Server-Side InjectionHTTP Response ManipulationResponse Splitting (CRLF)
P3Server-Side InjectionContent Spoofingiframe Injection
P3Broken Authentication and Session ManagementSecond Factor Authentication (2FA) Bypass
P3Broken Authentication and Session ManagementSession FixationRemote Attack Vector
P3Sensitive Data ExposureDisclosure of SecretsFor Internal Asset
P3Sensitive Data ExposureEXIF Geolocation Data Not Stripped From Uploaded ImagesAutomatic User Enumeration
P3Cross-Site Scripting (XSS)StoredPrivileged User to Privilege Elevation
P3Cross-Site Scripting (XSS)StoredCSRF/URL-Based
P3Cross-Site Scripting (XSS)ReflectedNon-Self
P3Broken Access Control (BAC)Server-Side Request Forgery (SSRF)Internal Scan and/or Medium Impact
P3Application-Level Denial-of-Service (DoS)High Impact and/or Medium Difficulty
P3Client-Side InjectionBinary PlantingDefault Folder Privilege Escalation
P3Automotive Security MisconfigurationInfotainment, Radio Head UnitCode Execution (No CAN Bus Pivot)
P3Automotive Security MisconfigurationInfotainment, Radio Head UnitUnauthorized Access to Services (API / Endpoints)
P3Automotive Security MisconfigurationRF HubData Leakage / Pull Encryption Mechanism
P3Automotive Security MisconfigurationCANInjection (Battery Management System)
P3Automotive Security MisconfigurationCANInjection (Steering Control)
P3Automotive Security MisconfigurationCANInjection (Pyrotechnical Device Deployment Tool)
P3Automotive Security MisconfigurationCANInjection (Headlights)
P3Automotive Security MisconfigurationCANInjection (Sensors)
P3Automotive Security MisconfigurationCANInjection (Vehicle Anti-theft Systems)
P3Automotive Security MisconfigurationCANInjection (Powertrain)
P3Automotive Security MisconfigurationCANInjection (Basic Safety Message)
P3Automotive Security MisconfigurationBattery Management SystemFirmware Dump
P3Automotive Security MisconfigurationImmobilizerEngine Start
P3Automotive Security MisconfigurationAutomatic Braking System (ABS)Unintended Acceleration / Brake
P4Server Security MisconfigurationMisconfigured DNSZone Transfer
P4Server Security MisconfigurationMail Server MisconfigurationEmail Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
P4Server Security MisconfigurationDatabase Management System (DBMS) MisconfigurationExcessively Privileged User / DBA
P4Server Security MisconfigurationLack of Password ConfirmationDelete Account
P4Server Security MisconfigurationNo Rate Limiting on FormRegistration
P4Server Security MisconfigurationNo Rate Limiting on FormLogin
P4Server Security MisconfigurationNo Rate Limiting on FormEmail-Triggering
P4Server Security MisconfigurationNo Rate Limiting on FormSMS-Triggering
P4Server Security MisconfigurationMissing Secure or HTTPOnly Cookie FlagSession Token
P4Server Security MisconfigurationClickjackingSensitive Click-Based Action
P4Server Security MisconfigurationOAuth MisconfigurationAccount Squatting
P4Server Security MisconfigurationCAPTCHAImplementation Vulnerability
P4Server Security MisconfigurationLack of Security HeadersCache-Control for a Sensitive Page
P4Server Security MisconfigurationWeb Application Firewall (WAF) BypassDirect Server Access
P4Server-Side InjectionContent SpoofingImpersonation via Broken Link Hijacking
P4Server-Side InjectionContent SpoofingExternal Authentication Injection
P4Server-Side InjectionContent SpoofingEmail HTML Injection
P4Server-Side InjectionServer-Side Template Injection (SSTI)Basic
P4Broken Authentication and Session ManagementCleartext Transmission of Session Token
P4Broken Authentication and Session ManagementWeak Login FunctionOther Plaintext Protocol with no Secure Alternative
P4Broken Authentication and Session ManagementWeak Login FunctionOver HTTP
P4Broken Authentication and Session ManagementFailure to Invalidate SessionOn Logout (Client and Server-Side)
P4Broken Authentication and Session ManagementFailure to Invalidate SessionOn Password Reset and/or Change
P4Broken Authentication and Session ManagementWeak Registration ImplementationOver HTTP
P4Sensitive Data ExposureDisclosure of SecretsPay-Per-Use Abuse
P4Sensitive Data ExposureEXIF Geolocation Data Not Stripped From Uploaded ImagesManual User Enumeration
P4Sensitive Data ExposureVisible Detailed Error/Debug PageDetailed Server Configuration
P4Sensitive Data ExposureToken Leakage via RefererUntrusted 3rd Party
P4Sensitive Data ExposureToken Leakage via RefererOver HTTP
P4Sensitive Data ExposureSensitive Token in URLUser Facing
P4Sensitive Data ExposureWeak Password Reset ImplementationPassword Reset Token Sent Over HTTP
P4Sensitive Data ExposureVia localStorage/sessionStorageSensitive Token
P4Cross-Site Scripting (XSS)StoredPrivileged User to No Privilege Elevation
P4Cross-Site Scripting (XSS)IE-OnlyIE11
P4Cross-Site Scripting (XSS)Referer
P4Cross-Site Scripting (XSS)Universal (UXSS)
P4Cross-Site Scripting (XSS)Off-DomainData URI
P4Broken Access Control (BAC)Server-Side Request Forgery (SSRF)External
P4Broken Access Control (BAC)Username/Email EnumerationNon-Brute Force
P4Unvalidated Redirects and ForwardsOpen RedirectGET-Based
P4Insufficient Security ConfigurabilityNo Password Policy
P4Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken is Not Invalidated After Use
P4Insufficient Security ConfigurabilityWeak 2FA Implementation2FA Secret Cannot be Rotated
P4Insufficient Security ConfigurabilityWeak 2FA Implementation2FA Secret Remains Obtainable After 2FA is Enabled
P4Insecure Data StorageSensitive Application Data Stored UnencryptedOn External Storage
P4Insecure Data StorageServer-Side Credentials StoragePlaintext
P4Insecure Data TransportExecutable DownloadNo Secure Integrity Check
P4Privacy ConcernsUnnecessary Data CollectionWiFi SSID+Password
P4Automotive Security MisconfigurationInfotainment, Radio Head UnitSource Code Dump
P4Automotive Security MisconfigurationInfotainment, Radio Head UnitDenial of Service (DoS / Brick)
P4Automotive Security MisconfigurationInfotainment, Radio Head UnitDefault Credentials
P4Automotive Security MisconfigurationRF HubUnauthorized Access / Turn On
P4Automotive Security MisconfigurationCANInjection (Disallowed Messages)
P4Automotive Security MisconfigurationCANInjection (DoS)
P4Automotive Security MisconfigurationBattery Management SystemFraudulent Interface
P4Automotive Security MisconfigurationGNSS / GPSSpoofing
P4Automotive Security MisconfigurationRoadside Unit (RSU)Sybil Attack
P5Server Security MisconfigurationDirectory Listing EnabledNon-Sensitive Data Exposure
P5Server Security MisconfigurationSame-Site Scripting
P5Server Security MisconfigurationMisconfigured DNSMissing Certification Authority Authorization (CAA) Record
P5Server Security MisconfigurationMail Server MisconfigurationEmail Spoofing to Spam Folder
P5Server Security MisconfigurationMail Server MisconfigurationMissing or Misconfigured SPF and/or DKIM
P5Server Security MisconfigurationMail Server MisconfigurationEmail Spoofing on Non-Email Domain
P5Server Security MisconfigurationLack of Password ConfirmationChange Email Address
P5Server Security MisconfigurationLack of Password ConfirmationChange Password
P5Server Security MisconfigurationLack of Password ConfirmationManage 2FA
P5Server Security MisconfigurationNo Rate Limiting on FormChange Password
P5Server Security MisconfigurationUnsafe File UploadNo Antivirus
P5Server Security MisconfigurationUnsafe File UploadNo Size Limit
P5Server Security MisconfigurationUnsafe File UploadFile Extension Filter Bypass
P5Server Security MisconfigurationCookie Scoped to Parent Domain
P5Server Security MisconfigurationMissing Secure or HTTPOnly Cookie FlagNon-Session Cookie
P5Server Security MisconfigurationClickjackingForm Input
P5Server Security MisconfigurationClickjackingNon-Sensitive Action
P5Server Security MisconfigurationCAPTCHABrute Force
P5Server Security MisconfigurationCAPTCHAMissing
P5Server Security MisconfigurationExposed Admin PortalTo Internet
P5Server Security MisconfigurationMissing DNSSEC
P5Server Security MisconfigurationFingerprinting/Banner Disclosure
P5Server Security MisconfigurationUsername/Email EnumerationBrute Force
P5Server Security MisconfigurationPotentially Unsafe HTTP Method EnabledOPTIONS
P5Server Security MisconfigurationPotentially Unsafe HTTP Method EnabledTRACE
P5Server Security MisconfigurationInsecure SSLLack of Forward Secrecy
P5Server Security MisconfigurationInsecure SSLInsecure Cipher Suite
P5Server Security MisconfigurationInsecure SSLCertificate Error
P5Server Security MisconfigurationReflected File Download (RFD)
P5Server Security MisconfigurationLack of Security HeadersX-Frame-Options
P5Server Security MisconfigurationLack of Security HeadersCache-Control for a Non-Sensitive Page
P5Server Security MisconfigurationLack of Security HeadersX-XSS-Protection
P5Server Security MisconfigurationLack of Security HeadersStrict-Transport-Security
P5Server Security MisconfigurationLack of Security HeadersX-Content-Type-Options
P5Server Security MisconfigurationLack of Security HeadersContent-Security-Policy
P5Server Security MisconfigurationLack of Security HeadersPublic-Key-Pins
P5Server Security MisconfigurationLack of Security HeadersX-Content-Security-Policy
P5Server Security MisconfigurationLack of Security HeadersX-Webkit-CSP
P5Server Security MisconfigurationLack of Security HeadersContent-Security-Policy-Report-Only
P5Server Security MisconfigurationBitsquatting
P5Server-Side InjectionParameter PollutionSocial Media Sharing Buttons
P5Server-Side InjectionContent SpoofingFlash Based External Authentication Injection
P5Server-Side InjectionContent SpoofingEmail Hyperlink Injection Based on Email Provider
P5Server-Side InjectionContent SpoofingText Injection
P5Server-Side InjectionContent SpoofingHomograph/IDN-Based
P5Server-Side InjectionContent SpoofingRight-to-Left Override (RTLO)
P5Broken Authentication and Session ManagementWeak Login FunctionNot Operational or Intended Public Access
P5Broken Authentication and Session ManagementSession FixationLocal Attack Vector
P5Broken Authentication and Session ManagementFailure to Invalidate SessionOn Logout (Server-Side Only)
P5Broken Authentication and Session ManagementFailure to Invalidate SessionConcurrent Sessions On Logout
P5Broken Authentication and Session ManagementFailure to Invalidate SessionOn Email Change
P5Broken Authentication and Session ManagementFailure to Invalidate SessionOn 2FA Activation/Change
P5Broken Authentication and Session ManagementFailure to Invalidate SessionLong Timeout
P5Broken Authentication and Session ManagementConcurrent Logins
P5Sensitive Data ExposureDisclosure of SecretsIntentionally Public, Sample or Invalid
P5Sensitive Data ExposureDisclosure of SecretsData/Traffic Spam
P5Sensitive Data ExposureDisclosure of SecretsNon-Corporate User
P5Sensitive Data ExposureVisible Detailed Error/Debug PageFull Path Disclosure
P5Sensitive Data ExposureVisible Detailed Error/Debug PageDescriptive Stack Trace
P5Sensitive Data ExposureDisclosure of Known Public Information
P5Sensitive Data ExposureToken Leakage via RefererTrusted 3rd Party
P5Sensitive Data ExposureSensitive Token in URLIn the Background
P5Sensitive Data ExposureSensitive Token in URLOn Password Reset
P5Sensitive Data ExposureNon-Sensitive Token in URL
P5Sensitive Data ExposureMixed Content (HTTPS Sourcing HTTP)
P5Sensitive Data ExposureSensitive Data HardcodedOAuth Secret
P5Sensitive Data ExposureSensitive Data HardcodedFile Paths
P5Sensitive Data ExposureInternal IP Disclosure
P5Sensitive Data ExposureJSON Hijacking
P5Sensitive Data ExposureVia localStorage/sessionStorageNon-Sensitive Token
P5Cross-Site Scripting (XSS)StoredSelf
P5Cross-Site Scripting (XSS)ReflectedSelf
P5Cross-Site Scripting (XSS)Flash-Based
P5Cross-Site Scripting (XSS)Cookie-Based
P5Cross-Site Scripting (XSS)IE-OnlyXSS Filter Disabled
P5Cross-Site Scripting (XSS)IE-OnlyOlder Version (< IE11)
P5Cross-Site Scripting (XSS)TRACE Method
P5Broken Access Control (BAC)Server-Side Request Forgery (SSRF)DNS Query Only
P5Cross-Site Request Forgery (CSRF)Action-SpecificLogout
P5Cross-Site Request Forgery (CSRF)CSRF Token Not Unique Per Request
P5Cross-Site Request Forgery (CSRF)Flash-Based
P5Application-Level Denial-of-Service (DoS)App CrashMalformed Android Intents
P5Application-Level Denial-of-Service (DoS)App CrashMalformed iOS URL Schemes
P5Unvalidated Redirects and ForwardsOpen RedirectPOST-Based
P5Unvalidated Redirects and ForwardsOpen RedirectHeader-Based
P5Unvalidated Redirects and ForwardsOpen RedirectFlash-Based
P5Unvalidated Redirects and ForwardsTabnabbing
P5Unvalidated Redirects and ForwardsLack of Security Speed Bump Page
P5External BehaviorBrowser FeaturePlaintext Password Field
P5External BehaviorBrowser FeatureSave Password
P5External BehaviorBrowser FeatureAutocomplete Enabled
P5External BehaviorBrowser FeatureAutocorrect Enabled
P5External BehaviorBrowser FeatureAggressive Offline Caching
P5External BehaviorCSV Injection
P5External BehaviorCaptcha BypassCrowdsourcing
P5External BehaviorSystem Clipboard LeakShared Links
P5External BehaviorUser Password Persisted in Memory
P5Insufficient Security ConfigurabilityWeak Password Policy
P5Insufficient Security ConfigurabilityPassword Policy Bypass
P5Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken is Not Invalidated After Email Change
P5Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken is Not Invalidated After Password Change
P5Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken Has Long Timed Expiry
P5Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken is Not Invalidated After New Token is Requested
P5Insufficient Security ConfigurabilityWeak Password Reset ImplementationToken is Not Invalidated After Login
P5Insufficient Security ConfigurabilityVerification of Contact Method not Required
P5Insufficient Security ConfigurabilityLack of Notification Email
P5Insufficient Security ConfigurabilityWeak Registration ImplementationAllows Disposable Email Addresses
P5Insufficient Security ConfigurabilityWeak 2FA ImplementationMissing Failsafe
P5Insufficient Security ConfigurabilityWeak 2FA Implementation2FA Code is Not Updated After New Code is Requested
P5Insufficient Security ConfigurabilityWeak 2FA ImplementationOld 2FA Code is Not Invalidated After New Code is Generated
P5Using Components with Known VulnerabilitiesRosetta Flash
P5Using Components with Known VulnerabilitiesOutdated Software Version
P5Using Components with Known VulnerabilitiesCaptcha BypassOCR (Optical Character Recognition)
P5Insecure Data StorageSensitive Application Data Stored UnencryptedOn Internal Storage
P5Insecure Data StorageNon-Sensitive Application Data Stored Unencrypted
P5Insecure Data StorageScreen Caching Enabled
P5Lack of Binary HardeningLack of Exploit Mitigations
P5Lack of Binary HardeningLack of Jailbreak Detection
P5Lack of Binary HardeningLack of Obfuscation
P5Lack of Binary HardeningRuntime Instrumentation-Based
P5Insecure Data TransportExecutable DownloadSecure Integrity Check
P5Network Security MisconfigurationTelnet Enabled
P5Mobile Security MisconfigurationSSL Certificate PinningAbsent
P5Mobile Security MisconfigurationSSL Certificate PinningDefeatable
P5Mobile Security MisconfigurationTapjacking
P5Mobile Security MisconfigurationClipboard Enabled
P5Mobile Security MisconfigurationAuto Backup Allowed by Default
P5Client-Side InjectionBinary PlantingNon-Default Folder Privilege Escalation
P5Client-Side InjectionBinary PlantingNo Privilege Escalation
P5Automotive Security MisconfigurationRF HubRoll Jam
P5Automotive Security MisconfigurationRF HubReplay
P5Automotive Security MisconfigurationRF HubRelay
VariesServer Security MisconfigurationUnsafe Cross-Origin Resource Sharing
VariesServer Security MisconfigurationPath Traversal
VariesServer Security MisconfigurationDirectory Listing EnabledSensitive Data Exposure
VariesServer Security MisconfigurationSSL Attack (BREACH, POODLE etc.)
VariesServer Security MisconfigurationOAuth MisconfigurationMissing/Broken State Parameter
VariesServer Security MisconfigurationOAuth MisconfigurationInsecure Redirect URI
VariesServer Security MisconfigurationRace Condition
VariesServer Security MisconfigurationCache Poisoning
VariesServer-Side InjectionServer-Side Template Injection (SSTI)Custom
VariesBroken Authentication and Session ManagementPrivilege Escalation
VariesSensitive Data ExposureCross Site Script Inclusion (XSSI)
VariesBroken Access Control (BAC)Insecure Direct Object References (IDOR)
VariesBroken Access Control (BAC)Exposed Sensitive Android Intent
VariesBroken Access Control (BAC)Exposed Sensitive iOS URL Scheme
VariesCross-Site Request Forgery (CSRF)Action-SpecificAuthenticated Action
VariesCross-Site Request Forgery (CSRF)Action-SpecificUnauthenticated Action
VariesInsecure Data TransportCleartext Transmission of Sensitive Data
VariesIndicators of Compromise