You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi team! As Jamie knows (and maybe others), I have brought up an issue where maintainers can downgrade severity scores without justification, reasoning, or, at times, anything based on sound cybersecurity best practices and policies. I am not a typical bug bounty hunter. I'm a red team lead and am aware of the differences between the two. However, CVSS severity is an (mostly) objective assessment based on industry best practices and years of research. I understand that there needs to be some context in the application at hand, and how a vulnerability may affect it. I understand that the developers and maintainers may know their applications best. I also understand, from my experience in this field, that the product owner rarely understands the bigger picture of cybersecurity, and it's exactly why they solicit our services. Bug bounty hunting is no different.
However, there needs to be consistency. I'm sure I am not the only one on the Huntr platform with several of the same reported vulnerability across multiple repositories and seeing them changed and modified by each individual maintainer without much rhyme or reason. Nothing is more frustrating than taking the time to research similar findings in the past to identify the most objective score possible and seeing someone question your knowledge and professionalism without reason. I'm not infallible and have no issue admitting I am wrong when proven so. That needs to go both ways on Huntr as there is no way to challenge a maintainer's adjustment, downgrading to $0 payout, all the while other findings of the exact same nature are being issued High or Critical ratings, payouts, and CVEs (especially when the downgraded report is MORE vulnerable than the others).
This is why I'm recommending that before a maintainer can modify a severity score that they are required to justify it with references, as researchers are required to do with Permalinks. If we are expected to justify our scoring, actions, and to help the maintainer locate vulnerable code, we should expect the same in return.
Second, provide researchers with an appeal process that directly involves the admin team, or a neutral third party with experience in severity scoring. There needs to be a check and balance on this system that doesn't weigh 100% towards the maintainer as it currently does.
If needed I am happy to provide reports and disclosures, as well as justification for why each of my findings have been scored the way they have been.
Thanks!
Joe
The text was updated successfully, but these errors were encountered:
Hi team! As Jamie knows (and maybe others), I have brought up an issue where maintainers can downgrade severity scores without justification, reasoning, or, at times, anything based on sound cybersecurity best practices and policies. I am not a typical bug bounty hunter. I'm a red team lead and am aware of the differences between the two. However, CVSS severity is an (mostly) objective assessment based on industry best practices and years of research. I understand that there needs to be some context in the application at hand, and how a vulnerability may affect it. I understand that the developers and maintainers may know their applications best. I also understand, from my experience in this field, that the product owner rarely understands the bigger picture of cybersecurity, and it's exactly why they solicit our services. Bug bounty hunting is no different.
However, there needs to be consistency. I'm sure I am not the only one on the Huntr platform with several of the same reported vulnerability across multiple repositories and seeing them changed and modified by each individual maintainer without much rhyme or reason. Nothing is more frustrating than taking the time to research similar findings in the past to identify the most objective score possible and seeing someone question your knowledge and professionalism without reason. I'm not infallible and have no issue admitting I am wrong when proven so. That needs to go both ways on Huntr as there is no way to challenge a maintainer's adjustment, downgrading to $0 payout, all the while other findings of the exact same nature are being issued High or Critical ratings, payouts, and CVEs (especially when the downgraded report is MORE vulnerable than the others).
This is why I'm recommending that before a maintainer can modify a severity score that they are required to justify it with references, as researchers are required to do with Permalinks. If we are expected to justify our scoring, actions, and to help the maintainer locate vulnerable code, we should expect the same in return.
Second, provide researchers with an appeal process that directly involves the admin team, or a neutral third party with experience in severity scoring. There needs to be a check and balance on this system that doesn't weigh 100% towards the maintainer as it currently does.
If needed I am happy to provide reports and disclosures, as well as justification for why each of my findings have been scored the way they have been.
Thanks!
Joe
The text was updated successfully, but these errors were encountered: