VRT Council minutes

---

Fri, 15 November 2019 18:30:00 UTC

Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @adamrdavid, @barnett, @jquinard, @csimas1, @shpendk Attendees (other than the above): @roberttreder, @chrashley-, @dshiv, @TheGarth, @SwayzeSlacks85,

Agenda items:

1. [WIP] Add mapping to Secure Code Warrior trial #264

   • Someone needs to verify the mapping code and try to have it done by next week but could be a shared responsibility. Possibly too early to go over and review this information. No timeline yet for the launch. Since it is a mapping it could be launched as a patch.

2. Improving the credentials disclosure VRT entries

   • Credentials disclosure VRT entries are the most downgraded. Purposing a new category adjustment with updated ratings.

---

Fri, 1 November 2019 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth Active participants (other than the above): @Dshiv, @jquinard, @SwayzeSlacks85 Attendees (other than the above): @adamrdavid, @chrashley-, @roberttreder, @barnett, @csimas1

Agenda items:

1. #263 - Universal (UXSS) - Should have Higher Severity No changes needed here. This entry is not for XSS in browsers/extensions but in webapps that might use these if the user installed them

2. #262 - Clarification related to "No Spoofing Protection on Email Domain" Will clarify with the researcher. The best way to check if a domain is in fact used for emails is to receive a valid email and if not ask the customer.

---

Fri, 20 September 2019 18:30:00 UTC

Host: @plr0man
Review duty: @m-q-t
Active participants (other than the above): @adamrdavid, @barnett, @jquinard, @dshiv Attendees (other than the above): @roberttreder, @m-q-t, @pizza-enthusiast, @khemmingsen, @TheGarth, @SwayzeSlacks85, @VinceMHernandez, @dapperRobotBear

Agenda items:

1. Why Was issue #150 merged into the VRT? #256

   • A decision was made about this issue during last council meeting. It was decided that there is no need to revise it.

2. Pruning or consolidation of the VRT

   • Still being discussed.

---

Fri, 6 September 2019 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @adamrdavid, @barnett, @m-q-t Attendees (other than the above): @roberttreder, @jquinard, @pizza-enthusiast, @khemmingsen, @TheGarth, @SwayzeSlacks85, @VinceMHernandez

Agenda items:

1. No memory corruption bugs? #258 (Should we introduce priority ranges?) Most agreed that the end result of these bugs already had VRT entries.

2. Stricter mapping requirement or keeping the default

• No action needed. We agree that current checks are sufficient, but recognize that we might want to make them stricter if there's need in the future.

3. Process changes coming down the pipeline that affect (and make more critical) the use of the VRT

• No discussion happened here.

4. Pruning or consolidation of the VRT

• No discussion happened here.

Additional Notes:
There was discussion around the idea of creating Priority Mappings. This would require a decent update to the VRT. Talks around not having a default set for these as well. There was a agreement that the idea was good.

---

Fri, 23 August 2019 18:30:00 UTC

Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @Dshiv, @jquinard, @adamrdavid, @barnett, @TheGarth, @m-q-t Attendees (other than the above): @roberttreder, @pizza-enthusiast, @khemmingsen

Agenda items:

1. Failure to Invalidate Session > On 2FA Activation/Change #257
   Researchers are referencing other reports about this issue and P5 seems to be the recommended rating. The result is adding it as P5

2. Why Was issue #150 merged into the VRT? #256
   Previous discussions stated that an app could have this disabled on specific sensitive areas. We will take votes on how to proceed with this issue.

3. When are we cutting a new release of the VRT?
   Steps to produce a new VRT version can take place next week.

---

Fri, 19 July 2019 18:30:00 UTC

Host: @plr0man
Review duty: @plr0man
Active participants (other than the above): @dapperRobotBear, @adamrdavid, @barnett, @theGmoney, @m-q-t, @OppenheimersToy
Attendees (other than the above): @TheGarth, @roberttreder, @jquinard, @chrashley-, @pizza-enthusiast

Agenda items:

1. Adding a category for disclosed/leaked usernames and passwords #254
   Current VRT entries suffice for the time being. There are some changes in the platform that are under development and will allow the researchers to suggest a rating for "Varies" entries. Once that's being deployed we should look into changing some VRT entries into "Varies" to better reflect the average ratings

2. Review of statistical data on how VRT ratings are adjusted in the reports

---

Fri, 19 April 2019 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv,
Active participants (other than the above): @SwayzeSlacks85, @adamrdavid, @VinceMHernandez, Attendees (other than the above): @TheGarth, @khemmingsen, @roberttreder, @m-q-t

Agenda items:

1. #248 - New VRT Entry Add a new entry to VRT for Sensitive Data Exposure. This was discussed. Over all the issue here was the person not fully understanding the Bugcrowd Submission UI.

2. #249 - Insecure Deserialization The only example show here is already covered by the VRT. The team decided that we would request an example that is not already covered.

3. Internal Discussion regarding 'stay logged in' We decided that this should be treated just like lack of session invalidation on password change reports.

---

Fri, 3 May 2019 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth, Active participants (other than the above): @Dshiv, @theGmoney, @roberttreder Attendees (other than the above): @adamrdavid, @chrashley, @jquinard, @m-q-t, @VinceMHernandez, @pizza-enthusiast

Agenda items:

1. #246 - Add a new VRT entry for: Failure to Invalidate Session -> Cookie Replay Attack: We agree that this is a N/A type of issue and the suggested protections are questionable.

---

Fri, 19 April 2019 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above):
Attendees (other than the above): @TheGarth, @VinceMHernandez, @m-q-t, @Tcune, @adamrdavid, @SwayzeSlacks85, @Dshiv, @barnett

Agenda items:

1. #243 - Cache Poisoning
   Needs remediation advice.

2. #241 - Race condition
   Remediation advise needs polishing.

---

Fri, 12 April 2019 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @chrashley Attendees (other than the above): @adamrdavid, @TheGarth, @m-q-t, @Tcune, @trimkadriu, @VinceMHernandez

Agenda items:

1. Add Automotive Security Misconfiguration mappings #237 PR has been created.

2. Adding Race Condition #241 Missing remediation advice. We decided that it is our (BC/SecOps) responsibility to provide remediation advice if there's none suggested by the community

Fri, 05 April 2019 18:30:00 UTC

Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @shpendk, @SwayzeSlacks85, @Dshiv, @jquinard, @barnett, @chrashley Attendees (other than the above): @adamrdavid, @TheGarth, @m-q-t, @Tcune, @VinceMHernandez

Agenda items:

1. #238 - Impact problems Extensively discussed. Widely agreed that chaining vulnerabilities needs to be addressed, many want to wait until support for this is baked into the platform itself, which is something being worked on. Several options were discussed to address perceived inconsistency between different victim interaction account takeover entries, including downgrading priority of some entries, upgrading priority of common chaining vulnerabilities, etc. More discussion and community feedback will be sought before any changes are made.

2. #237 - Automotive VRT CVSS mapping has been provided, will be reviewed and added to the VRT.

Fri, 29 March 2019 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @adamrdavid, @roberttreder, @Tcune, @theGmoney
Attendees (other than the above): @TheGarth, @trimkadriu, @VinceMHernandez, @m-q-t

Agenda items:

1. #237 - Automotive VRT
   Waiting for CVSS mapping.

2. #231 - Race condition
   Proposed “varies” class. Still being discussed.

3. #235 - Cache poisoning
   Proposed “varies” class. Still being discussed.

4. #239 - Indicators of compromise
   Missing CWE mapping and remediation mapping.

5. #238 - Impact problems
   Reflected XSS to account takeover is still a P3. Need more discussion on how to handle chaining with P4/P5 issues which would technically lead to account takeover.

Fri, 22 March 2019 18:30:00 UTC

Host: @plr0man
Review duty: @VinceMHernandez Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @jquinard Attendees (other than the above): @rwilliamson2011, @chrashley-, @Tcune, @Dshiv, @TheGarth, @theGmoney, @shpendk, @khemmingsen, @trimkadriu

Agenda items:

1. #235- Adding DNS Cache Poisoning to VRT

   Seems like a good addition once we the rating is ironed out. Perhaps a “varies” here until we gather enough data regarding exploit types.

2. #231- Race Condition entry

   Good entry to have and need to confirm the category and varies seems to be the route to take.

3. VRT 1.7
   Work in progress should be available soon.

---

Fri, 15 March 2019 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth, Active participants (other than the above): @roberttreder, @SwayzeSlacks85, @barnett, @jquinard Attendees (other than the above): @adamrdavid, @chrashley-, @Tcune, @VinceMHernandez

Agenda items:

1. P3: XSS -> Unstored (form based CSRF) #229 - The consensus is that this is a POST-based reflected XSS by our current definitions.
2. Two separate entries for password change and reset #230 - This was an intentional change at an earlier point of the VRT. We will review & share the original reasoning for the decision.
3. Race Condition #231 - No consensus so far on if we need a new entry. Currently it seems like "varies" would be the most favored option.

---

Fri, 8 March 2019 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @adamrdavid, @jquinard, @barnett, @chrashley-

Attendees (other than the above): @TheGarth, @trimkadriu, @VinceMHernandez, @SwayzeSlacks85, Kevin Hemmingsen

Agenda items:

1. Indicators of Compromise #224
   Add to the VRT an indication that something has been compromised. Discussion around the reasoning we should have is. When new VRT entry has a base line priority we see some increase. Varies might cause it to be lower.
   ----
   Choice: Add it so we may observer researcher interactions around it.

Fri, 1 March 2019 18:30:00 UTC      

Host: @plr0man
Review duty: @VinceMHernandez

Active participants (other than the above): @barnett

Attendees (other than the above): @Tcune, @jquinard, @SwayzeSlacks85, @TheGarth, @adamrdavid, @khemmingsenm, @chrashley-

Agenda items:

1. #202 - Adding Automotive VRT Categories for Vehicle-based bugs
   Categories are being added to VRT and @shipcod3 will address mappings.

2. Scheduling of v1.7 release updates
   PR will be reviewed today by @VinceMHernandez with hopes of getting a release next week.

---

Fri, 15 February 2019 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth

Active participants (other than the above): @adamrdavid, @theGmoney, @jquinard, @barnett

Attendees (other than the above): @trimkadriu, @Dshiv, @SwayzeSlacks85, @khemmingsen

Agenda items:

1. #217 - The team considers this to be P5 as the issue is with the email provider. We might want to add a P5 entry here.

2. #218 - Further Review Needed

3. #213 - Notes from @barnett

4. Enabling outside contributions on remediation advice - Request from @caseyjohnellis that @barnett was looking to get feedback on

5. Scheduling of v1.7 release - Time to wrap up all PRs/Issues. We'll try to get it done by next council meeting

---

Fri, 1 February 2019 18:30:00 UTC

Host: @plr0man

Review duty: @Tcune

Active participants (other than the above): @jquinard, @Dshiv, Attendees (other than the above): @TheGarth, @trimkadriu, @EdisK, @VinceMHernandez, @SwayzeSlacks85, @roberttreder, @theGmoney

Agenda items:

#212 - Revise Application-level DoS baseline severity rating Most disagreed on adding a varies entry for this. Decided to poll our options.

Fri, 18 January 2019 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @roberttreder, @Tcune, @SwayzeSlacks85
Attendees (other than the above): @FatihEgbatan, @TheGarth, @trimkadriu, @semprix, @adamrdavid, @VinceMHernandez, @CarlosSimas28, @shpendk

Agenda items:

1. #203 - 2FA Secret recovery and refresh
   Decided on syntax for proposed category. Will be scheduled to be added to VRT.

2. #209 - Session Deletion Upon Account Removal
   Consensus for priority is ‘varies’. It was then decided that the entry would not be needed since generic BAC would suffice.

3. #210 - Add DOM based XSS as P2
   This would essentially be a subclass of reflected XSS. Not enough support to be added as its own subclass.

---

Fri, 11 January 2019 18:30:00 UTC

Host: @plr0man

Review duty: @chrashley-

Active participants (other than the above): @Dshiv, @jquinard, @shpendk, @barnett

Attendees (other than the above): @FatihEgbatan, @TheGarth, @trimkadriu, @VinceMHernandez, @shipcod3, @semprix, @simasc

Agenda items:

Adding Automotive VRT Categories for Vehicle-based bugs #202 Needs more feedback

2FA Secret recovery and refresh #203 There is a proposed classification that needs to be polished

Session Deletion Upon Account Removal #209 Needs discussion

---

Fri, 4 January 2019 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @Dshiv, @shipcod3, @SwayzeSlacks85
Attendees (other than the above): @FatihEgbatan, @roberttreder, @TheGarth, @trimkadriu, @semprix, @adamrdavid, @VinceMHernandez

Agenda items:

1. Adding Automotive VRT Categories for Vehicle-based bugs #202
   This is still in progress and waiting on more feedback.

2. 2FA Secret recovery and refresh #203
   Agreed on P4. VRT syntax in discussion.

3. VRT is incorrectly perceived as Web only.
   How do we remedy this?

---

Fri, 21 December 2018 18:30:00 UTC

Host: @plr0man
Review duty: @roberttreder Active participants (other than the above): @Dshiv, @adamrdavid, @jquinard Attendees (other than the above): @chrashley-, @shpendk, @OppenheimersToy, @FatihEgbatan, @shipcod3, @jquinard, @roberttreder, @TheGarth, @SwayzeSlacks85, @trimkadriu

Agenda items:

1. Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199
   Discussion of where this should slot into the VRT
2. Adding Automotive VRT Categories for Vehicle-based bugs #202
   Looking for more feedback
3. 2FA Secret recovery and refresh #203
   Discussion of whether this should be a P4 or P5
4. Revise username enumeration entry names #207
   Will comment in Github

---

Fri, 26 October 2018 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @CarlosSimas28, @jquinard, @shpendk, @shipcod3, @SwayzeSlacks85
Attendees (other than the above): @adamrdavid, @chrashley-, @semprix, @EdisK, @FatihEgbatan, @TheGarth, @SwayzeSlacks85,(Kevin hemmingsen), @roberttreder, @Tcune, @VinceMHernandez

Agenda items:

1. Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199 We agree on the proposed entry P2: Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning
2. Adding Automotive VRT Categories for Vehicle-based bugs #202
   No further questions regarding this happened.
3. 2FA Secret recovery and refresh #203
   Sounds like a discussion on the purpose of P5 - Informational and how it's been working out since it was introduced. Still waiting for more opinions in the issue
4. Email spoofing on non-email domain #204
   We agree on the proposed entry:
   P5 - Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofing on non-email domain
   Further discussion on this item is needed.
5. Casey's question regarding an angry researcher Tweet
   A look into the meanings of many enumeration VRT category items needs to happen.

---

Fri, 30 November 2018 18:30:00 UTC

Host: @plr0man
Review duty: @Tcune Active participants (other than the above): @shpendk, @adamrdavid, @shipcod3, @Dshiv, @jquinard Attendees (other than the above): @roberttreder, @EdisK, @TheGarth, @SwayzeSlacks85, @trimkadriu, @VinceMHernandez, @chrashley, @CarlosSimas28, @FatihEgbatan, @semprix, @theGmoney,

Agenda items:

1.Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function #199

Discussed how impactful this would be and how often this is seen. The team would like a vrt entry added

2.Add Missing Pragma HTTP Header #200.

Also discussed how often this is seen and whether a entry should be added. The team does not believe any changes are necessary.

3.Should we add an entry for missing spoofing protection on non email domain?

Take a poll and see if we still need a new entry.

4."Using Components with Known Vulnerabilities" Should be 'Varies' #201

Discuss improvements with the design team around being able to assign the VRT on any level and making it more clear that those are "Varies". The team agrees that there's no need for changes here as a working PoC should result in being able to assign the VRT entry corresponding to the end result vulnerability. Any CVE based reports are not applicable if there's no PoC.

5.Can we add some of the automotive automotive vulnerability classes from fca's schema/bug bash to the vrt.

Jay has some lists for VRT catagories.

Fri, 26 October 2018 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth Active participants (other than the above): @SwayzeSlacks85, @adamrdavid, @EdisK, @trimkadriu Attendees (other than the above): @chrashley-, @shipcod3, @jquinard, @roberttreder, @rwilliamson2011, @shpendk, @VinceMHernandez, @Dshiv

Agenda items:

1. Add rate limiting to arbitrary account lockout #194 Discussion related to the potential baseline rating for the issue, as well as a satisfactory entry name. We decided to close the issue at this time.
2. Add Flash-based Cross-Site Scripting (XSS) as P4 #120 Discussed new comments on the issue.
3. Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195 Decided on an updated classification proposal.

---

Fri, 19 October 2018 18:30:00 UTC

Host: @plr0man
Review duty: @EdisK
Active participants (other than the above): @Dshiv, @adamrdavid, @shpendk, @trimkadriu
Attendees (other than the above): @CarlosSimas28, @Tcune, @EdisK, @FatihEgbatan, @roberttreder, @VinceMHernandez, @rwilliamson2011, @chrashley-, @SwayzeSlacks85

Agenda items:

1. Add rate limiting to arbitrary account lockout #194
   Most of us agreed on having it as a potential P4 Entry. Still to be discussed.
2. Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195
   We discussed and agreed upon that we should be triaging such issues as P4 as it actually shows a misconfiguration in DMARC.

---

Fri, 12 October 2018 18:30:00 UTC

Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @Dshiv, @adamrdavid
Attendees (other than the above): @CarlosSimas28, @Tcune, @EdisK, @FatihEgbatan, @roberttreder, @VinceMHernandez, @rwilliamson2011, @chrashley-, @shpendk, @SwayzeSlacks85

Agenda items:

1. Add rate limiting to arbitrary account lockout #194
   We gave it another week to discuss on Github with the community to determine the final decision.
2. Missing DMARC (P5) Needs Moving Inline with Email Spoofing (P3) #195
   We discussed the findings of our research & tests, while an initial proposal for change is made. Still left to do more tests and lookup for any loopholes for that.

---

Fri, 28 September 2018 18:30:00 UTC

Host: @plr0man
Review duty: @Tcune Active participants: @@adamrdavid, @barnett Attendees: @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Abby Mulligan, @rwilliamson2011, @jquinard, @chrashley-, @TheGarth, @shipcod3, @SwayzeSlacks85, @OppenheimersToy, @Dshiv, @shpendk, @roberttreder, @theGmoney, @@trimkadriu

Agenda items:

1. Add rate limiting to arbitrary account lockout #194. Looks like we are all in agreement. ASE on duty will leave a comment.

---

Fri, 21 September 2018 18:30:00 UTC

Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @ryancblack, @trimkadriu Attendees (other than the above): @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Abby Mulligan, @rwilliamson2011, @jquinard, @chrashley-, @TheGarth, @shipcod3, @SwayzeSlacks85, @OppenheimersToy, @Dshiv

Agenda items:

1. Add rate limiting to arbitrary account lockout #194 We agree that there is need for such entry. We will discuss on Github over the coming week with the community to determine the scope of the entry and whether a more descriptive name can be found.

---

Fri, 24 August 2018 18:30:00 UTC

Host: @plr0man
Review duty: @shipcod3
Active participants (other than the above): @theGmoney, @Dshiv, @adamrdavid, @roberttreder Attendees (other than the above): @trimkadriu, @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, Mark Druzin, Mike Perez, @jquinard, @chrashley-, @ryancblack, Kevin Hemmingsen, @rwilliamson2011, @TheGarth

Agenda items:

1. @plr0man open PR for #187
2. ASE on duty review #187
3. ASE on duty share an opinion in #188

---

Fri, 17 August 2018 18:30:00 UTC

Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @jquinard, @chrashley-, @theGmoney, @Tcune, @ryancblack, @Dshiv
Attendees (other than the above): @trimkadriu, @CarlosSimas28, @FatihEgbatan, @shipcod3, @roberttreder, @VinceMHernandez, Mark Druzin, Mike Perez

Agenda items:

1. Add Missing CAPTCHA #187
   We agree that there is need for such entry. There might be need to update the subcategory name though as it says "bypass" and the entry would be for "missing".

---

Fri, 3 August 2018 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @theGmoney, @Dshiv, @ryancblack
Attendees (other than the above): @CarlosSimas28, @FatihEgbatan, @shipcod3, @roberttreder, @Tcune, @VinceMHernandez, @TheGarth, Abby Mulligan

Agenda items:

1. Subdomain Takeover #178
   Unanimous consensus on proposed VRT class changes.

2. Discuss ways to add context to VRT classes, geared towards researchers and clients.

---

Fri, 20 July 2018 18:30:00 UTC

Host: @plr0man
Review duty: @TheGarth
Active participants (other than the above): @theGmoney, @jhaddix, @ryancblack, @Dshiv
Attendees (other than the above): @adamrdavid, @chrashley-, @barnett, @CarlosSimas28, @FatihEgbatan, @shipcod3, @jquinard, @roberttreder, @rwilliamson2011, @OppenheimersToy, @SwayzeSlacks85, @shpendk, @trimkadriu, @Tcune, @VinceMHernandez, Kevin Hemmingsen, Mike Perez

Agenda items:

1. Add Insecure Binary category #178
   A decision was made to close this issue. Nevertheless a good learning experience for the team.

2. Add New Clickjacking Subcategory #179
   We have a green light to implement option 1.

3. Broken Authentication and Session Management - Weak Login Function Changes #180
   Needs more input with all three options being proposed. This issue is related to #181

4. Sensitive service/login panel/file disclosure context-based entry classification and prioritization #181
   We all seem to agree with the FTP oriented issues being most appropriately classified as Varies. The rest of the issue needs more feedback as there are drawbacks around using Varies.

---

Fri, 13 July 2018 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @theGmoney, @jhaddix
Attendees (other than the above): @adamrdavid, @chrashley-, @barnett, @FatihEgbatan, @jquinard, @OppenheimersToy, @SwayzeSlacks85, @shpendk, @trimkadriu, @Tcune, @VinceMHernandez

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   We’ve revisited this topic with the team based on the recent feedback and will share the decision in the issue

2. Add Insecure Binary category #178
   Looks like option 2 is the preferred one. Waiting on more feedback until the next VRT Council

3. Add New Clickjacking Subcategory #179
   Awaiting more feedback in the issue

4. Broken Authentication and Session Management - Weak Login Function Changes #180
   Initial conversation leaves the door open to choose between the two proposed solutions: option 1 from jhaddix and option 2 from plr0man

---

Fri, 6 July 2018 18:30:00 UTC

Host: @plr0man
Review duty: @VinceMHernandez
Active participants (other than the above): @roberttreder, @ryancblack
Attendees (other than the above): @FatihEgbatan, @CarlosSimas28, @trimkadriu, @TheGarth, @shipcod3, @SwayzeSlacks85, @Tcune, @chrashley-, Abby Mulligan, @EdisK, @Dshiv, @jhaddix, @jquinard, @OppenheimersToy, @rwilliamson2011, @shpendk

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   We have a green light to implement the originally proposed solution

2. Add Insecure Binary category #178
   General discussion and call for feedback

---

Fri, 29 June 2018 18:30:00 UTC

Host: @plr0man
Review duty: @shipcod3
Active participants (other than the above): @shpendk, @adamrdavid, @jquinard, @chrashley
Attendees (other than the above): @barnett, @FatihEgbatan, @CarlosSimas28, @trimkadriu, @theGmoney, @TheGarth, @SwayzeSlacks85, @roberttreder, @Tcune

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   Needs more discussion

2. Add SSL Certificate Error #176
   Agreed and waiting for a PR

---

Fri, 22 June 2018 18:30:00 UTC

Host: @plr0man
Review duty: @roberttreder
Active participants (other than the above): @jquinard, @Tcune
Attendees (other than the above): @adamrdavid, @barnett, @FatihEgbatan, @CarlosSimas28, @trimkadriu, @theGmoney, @TheGarth, @shipcod3, @OppenheimersToy, @SwayzeSlacks85, @VinceMHernandez, @shpendk

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   We will research a solution this coming week.

2. Add No-Rate-Limit SMS triggering #169
   We have a green light to implement as proposed by the majority.

---

Fri, 15 June 2018 18:30:00 UTC

Host: @plr0man
Review duty: @jquinard
Active participants (other than the above): @theGmoney, @trimkadriu, @Tcune
Attendees (other than the above): @EdisK, @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @VinceMHernandez, @chrashley-, @shpendk, @barnett, @adamrdavid, @TheGarth, @roberttreder, @OppenheimersToy, Kevin Hemmingsen

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   Needs research on the best classification based on the XSS to privilege gain level and who “anyone” would be

2. Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
   We’ve chosen option 2.

3. Add No-Rate-Limit SMS triggering #169
   We agree about the proposed entry and P4 rating

---

Fri, 8 June 2018 18:30:00 UTC

Host: @plr0man
Review duty: @FatihEgbatan
Active participants (other than the above): @theGmoney, @SwayzeSlacks85, @trimkadriu, @shpendk, @roberttreder Attendees (other than the above): @ryancblack, @adamrdavid, @chrashley-, @barnett, @CarlosSimas28, @FatihEgbatan, @TheGarth, @shipcod3, @jquinard, Kevin Hemmingsen, Marc Druzin, @rwilliamson2011, @Tcune, @VinceMHernandez

Agenda items:

1. Second Factor Authentication Bypass Proposal #94
   Waiting on a green light from the team in the issue

2. Add WAF Bypass > Direct Server Access #170
   Needs research on applicable CWE mapping and if none found a merge

3. XSS Admin -> everyone is rated too high #166
   We are considering adjustments based on the XSS to privilege gain level

4. Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
   Needs more comments as there are multiple opinions

5. Add Blind XSS? #168
   Needs a response

6. Add No-Rate-Limit SMS triggering #169
   We'd like to add such an entry as P4

---

Fri, 1 June 2018 18:30:00 UTC

Host: @plr0man
Review duty: @chrashley-
Active participants (other than the above): @theGmoney, @shipcod3
Attendees (other than the above): @ryancblack, @adamrdavid, @barnett, @CarlosSimas28, @FatihEgbatan, @TheGarth, @jquinard, Kevin Hemmingsen, Marc Druzin, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @Tcune, @VinceMHernandez

Agenda items:

1. XSS Admin -> everyone is rated too high #166
   Waiting on jcran’s response and/or any other feedback

2. Simplify CWE mapping / Use nodes in the "Research" view #160
   If no response we will update this PR with according to the existing review

3. Second Factor Authentication Bypass Proposal #94
   We have a consensus and will share it in the issue

4. Suggestion to add new entry for WAF Bypass #159
   If no further feedback we will implement the solution proposed in the most recent comment

5. Revise 'Email Spoofable Via Third-Party API Misconfiguration' #167
   Waiting on more feedback

---

Fri, 25 May 2018 18:30:00 UTC

Host: @plr0man
Review duty: @Dshiv
Active participants (other than the above): @ryancblack, @jquinard, @CarlosSimas28, @trimkadriu
Attendees (other than the above): @barnett, @chrashley-, @adamrdavid, @FatihEgbatan, @shipcod3, @tcune, @VinceMHernandez

Agenda items:

1. Admin -> everyone is rated too high #166
   Awaiting more info

---

Fri, 18 May 2018 18:30:00 UTC

Host: @swayzeslacks85 Review duty: @trimkadriu Active participants (other than the above): @theGmoney, @barnett, @plr0man, Casey Ellis, @chrashley-, @ryancblack Attendees (other than the above): Abby Mulligan, Adam David, @CarlosSimas28, @EdisK, @FatihEgbatan, @shipcod3, @jquinard, Keith Hoodlet, Kevin Hemmingsen, @rwilliamson2011, @roberttreder, @shpendk, @tcune, @VinceMHernandez

Agenda items:

1. General discussion and call for feedback on the pending VRT issues

2. Further discussion over jcran's CWE feedback, greater dialogue needed here as CVSS is more widely used.

3. Discussion over upgrading a mobile to P4, decided to stay at P5. Need for greater discussion surrounding how we handle P5's currently and investigating more mobile entries to add to the VRT.

---

Fri, 11 May 2018 18:30:00 UTC

Host: @plr0man
Co-host: @trimkadriu
Review duty: @EdisK
Active participants (other than the above): @theGmoney, @shpendk, @Dshiv, @barnett, @FatihEgbatan, @shipcod3
Attendees (other than the above): Abby Mulligan, @adamrdavid. @TheGarth, @jquinard, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @Tcune, @VinceMHernandez

Agenda items:

1. The team is continuing to look into the potential of distinguishing not applicable type of issues from P5’s in the VRT

2. Add a new VRT entry for SSRF -> DNS Queries #157
   We agree that there’s need for such an entry. The issue needs some comments before filing a PR

3. Suggestion to add new entry for WAF Bypass #159
   We agree that there’s need for such an entry, but it needs a more specific name and more input before we file a PR

---

Fri, 4 May 2018 18:30:00 UTC

Host: @plr0man
Co-host: @jquinard
Review duty: @CarlosSimas28
Active participants (other than the above): @theGmoney, @rwilliamson2011, @chrashley-, @Tcune, @SwayzeSlacks85, @roberttreder, @shpendk, @TheGarth
Attendees (other than the above): @EdisK, @trimkadriu, @shipcod3, @VinceMHernandez

Agenda items:

1. The team is looking into the potential of distinguishing not applicable type of issues from P5’s in the VRT

2. Discussion on VRT Entry: Failure to Invalidate Session on Password Change #154
   The issue was discussed and a response will be given shortly

---

Fri, 27 April 2018 18:30:00 UTC

Host: @jquinard
Review duty: @Tcune
Active participants (other than the above): @SwayzeSlacks85, @ryancblack, @TheGarth, @plr0man, @theGmoney, @CarlosSimas28
Attendees (other than the above): @rwilliamson2011, @roberttreder, @trimkadriu, @Tcune, @chrashley-, @EdisK, @shipcod3, @shpendk

Agenda items:

1. Mobile Security Misconfiguration > Copy/Paste Sensitive Data to Global Clipboard #150 has been approved and is waiting PR.

2. Revise 'Session Fixation' class to be more clear #152 has been approved. Session Fixation will be split into two entries. Waiting on PR.

3. New VRT entry for session token transferred over unencrypted channel (for non-cookie headers) #153 has been approved pending no new dissenting opinions. Waiting on PR.

---

Fri, 20 April 2018 18:30:00 UTC

Host: @plr0man
Review duty: @chrashley-
Active participants (other than the above): @jquinard, @barnett, @ryancblack, @TheGarth, @trimkadriu
Attendees (other than the above): @FatihEgbatan, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @VinceMHernandez

Agenda items:

1. VRT 1.4 is pending release on May 7th. The version has been cut and we are working on v1.5 now.

2. Add Flash-Based variants #151 is waiting for a review and a merge.

3. Add entry for - Mobile Security Misconfiguration > Copy/Paste Sensitive Data to Global Clipboard #150 will receive two sensitive/non-sensitive variants. Were waiting for more feedback on specific names and location

4. Revise 'Session Fixation' class to be more clear #152 will receive two variants corresponding to the remote and local attack vectors. We're waiting for more feedback on the specific classification

5. Need a new VRT entry for session token transferred over unencrypted channel (for non-cookie headers) #153 will receive a variant. We're waiting for more feedback on the specific classification

---

Fri, 13 April 2018 18:30:00 UTC

Host: @plr0man
Review duty: @FatihEgbatan
Active participants (other than the above): @barnett, @theGmoney, @shpendk
Attendees (other than the above): @CarlosSimas28, @Dshiv, @EdisK, Garth Brubaker, @jquinard, @rwilliamson2011, @roberttreder, @SwayzeSlacks85, @trimkadriu, @Tcune, @VinceMHernandez, @chrashley-

Agenda items:

1. VRT 1.4 release is approaching and the team is buttoning up all of the pending tasks

2. Remove staging environment distinction from the VRT #139 Merging this PR as proposed after an extensive discussion. Updating Brief verbiage to clarify the purpose of the VRT baselines and improving customer education

---

Fri, 6 April 2018 18:30:00 UTC

Host: @plr0man
Review duty: @trimkadriu
Active participants (other than the above): @barnett
Attendees (other than the above): @ryancblack, @Dshiv, @EdisK, @FatihEgbatan, Garth Brubaker, @shipcod3, @paulfri, @rwilliamson2011, @roberttreder, @shpendk, @Tcune, @VinceMHernandez

Agenda items:

1. VRT 1.4 release is approaching and the team is buttoning up all of the pending PRs

2. Add VRT to Remediation mapping #116
   This PR needs some last updates and is ready to merge

---

Fri, 30 March 2018 18:30:00 UTC

Host: @plr0man
Review duty: @CarlosSimas28
Active participants (other than the above): @Dshiv
Attendees (other than the above): @jquinard, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, @paulfri, @SwayzeSlacks85, @roberttreder, @Tcune, @VinceMHernandez

Agenda items:

1. Downgrade weak P4's #138 and Revise Weak Login Function subcategory #143
   Waiting on engineering's assistance to fix CI tests

2. Remove staging environment distinction from the VRT #139
   Waiting for more feedback

3. Other unmerged PRs and pending Issues
   General discussion and scheduling action items for the team

---

Fri, 23 March 2018 18:30:00 UTC

Host: @plr0man
Review duty: Treder
Active participants (other than the above): @ryancblack, Grant Mccracken, @Dshiv, @barnett, @EdisK, @shpendk
Attendees (other than the above): @jquinard, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, @CarlosSimas28, @chrashley-, @paulfri, @SwayzeSlacks85

Announcements: Vulnerability Roundtable has been divided into two separate meetings: Vulnerability Roundtable and VRT Council. VRT Council will be focusing on VRT related issues and the minutes from this meeting will continue to be shared here

Agenda items:

1. Revise 'Weak Login Function' subcategory #135
   Waiting for any last minute comments before filing a PR

2. Remove 'Network Security Misconfiguration > Telnet Enabled > Credentials Required' #140
   Green light to file a PR

3. Downgrade off-domain "XSS" using data urls to P5 #141
   Clarification needed

---

Fri, 16 March 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @Dshiv
Active participants (other than the above): @jhaddix, @EdisK, @chrashley-, @shpendk, @andMYhacks
Attendees (other than the above): @jquinard, @VinceMHernandez, @FatihEgbatan, Garth Brubaker, @rwilliamson2011, @trimkadriu, Vinicius Fernandes, Robert Treder, @raels, @CarlosSimas28, @shipcod3

Agenda items:

1. Add Flash-based Cross-Site Scripting (XSS) as P4 #120
   It has been decided to include the proposed changes as part of the VRT 1.5 release

2. Notable reports triaged this week

---

Fri, 9 March 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @jquinard
Active participants (other than the above): @ryancblack, @jhaddix, @Dshiv, @caseyjohnellis, @danielhtrauner, @EdisK, @shipcod3 Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @paragbaxi, @raels, @MacIT-SF, @trimkadriu, @SwayzeSlacks85, @shpendk, @elyrly, @VinceMHernandez

Agenda items:

1. General discussion and call for feedback on the pending VRT issues

2. Notable reports triaged this week

---

Fri, 2 March 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @ryancblack, @chrashley-, @Dshiv, @caseyjohnellis, @trimkadriu, @SwayzeSlacks85, @shpendk
Attendees (other than the above): @jquinard, @FatihEgbatan, @rwilliamson2011, @EdisK, @Tcune, @CarlosSimas28, Robert Treder, @paragbaxi, @danielhtrauner, @raels

Agenda items:

1. Add Flash-based Cross-Site Scripting (XSS) as P4 #120
   The team is in agreement and waiting for feedback from the researchers

2. Revise weak P4 entries #133
   The team is in agreement and waiting for any remaining comments from the researchers

3. Revise 'Weak Login Function' subcategory #135
   The team is in agreement and waiting for feedback from the researchers

4. Notable reports triaged this week

---

Fri, 23 February 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @jhaddix, @ryancblack, @andMYhacks, @EdisK, @Dshiv
Attendees (other than the above): @Trainorsploit, @samhoustonbc, @jquinard, @raels, @SwayzeSlacks85, @shpendk, @chrashley-, @VinceMHernandez, @barnett, @FatihEgbatan, @rwilliamson2011, @trimkadriu, @brenthaas

Agenda items:

1. VRT entry for source code disclosure? #126
   Last call for action before we close this issue

2. Privilege escalations & language #131
   The documentation delivered over support is under review

3. Revise 'Weak Login Function' subcategory #135
   Discussed potential for distinguishing staging environment variants

4. Notable reports triaged this week

---

Fri, 16 February 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @EdisK, @CarlosSimas28, @jquinard, @Dshiv, @brenthaas, @adamrdavid
Attendees (other than the above): @rwilliamson2011, @shipcod3, @SwayzeSlacks85, @raels, @VinceMHernandez, @Trainorsploit, @FatihEgbatan, @katherinel, @ryancblack, @shpendk, @cmanetta, @jeff-bugcrowd

Agenda items:

1. Discussing VRT entries that have potential to be downgraded to P5. We are reconsidering what is seen as noise/accepted risk, based on our experience with the majority of our customers and their expectations. At the same time we are offering the option to accept or customize P5s for others

2. Notable reports triaged this week

---

Fri, 2 February 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @EdisK, @jhaddix, @caseyjohnellis, @shpendk, @andMYhacks
Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @raels, @VinceMHernandez, @Trainorsploit, @jquinard, @Dshiv, Robert Treder, @raels, @FatihEgbatan

Agenda items:

1. Add VRT to Remediation mapping #116
   Last updates pending and the project should be completed by the EOW

2. Revise missing OAuth state parameter variant #124
   Multiple opinions on how to approach this. Awaiting input from the team in the Issue

3. VRT entry for source code disclosure? #126
   Multiple opinions on how to approach this. Awaiting input from the team in the Issue

4. Suggestions for P3 #127
   Awaiting further review and input from the team in the Issue

5. Notable reports triaged this week

6. JHaddix showing a chrome plugin called ReproNow that helps with reproduction

---

Fri, 26 January 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @FatihEgbatan
Active participants (other than the above): @Dshiv, @jquinard, @danielhtrauner, @adamrdavid, @EdisK, @jhaddix, Robert Treder, @samhoustonbc
Attendees (other than the above): @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @raels, @Tcune, @VinceMHernandez, @shpendk, @DevinRiley, Chris Trainor

Agenda items:

1. Revise missing OAUTH state parameter variant #124
   Both proposed options sound appealing. Awaiting further review and input in the issue before any decisions can be made.

2. Notable reports triaged this week

---

Fri, 19 January 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @plr0man
Active participants (other than the above): @Dshiv, @jquinard, @EdisK, @rwilliamson2011, @CarlosSimas28, @shipcod3, @SwayzeSlacks85, @ryancblack
Attendees (other than the above): @FatihEgbatan, @raels, @Tcune, @VinceMHernandez, @brenthaas

Agenda items:

1. Add Stored XSS with user interaction #123
   The entry classification has been chosen and is planned to be implemented

2. Add Flash-based Cross-Site Scripting (XSS) as P4 #120
   Closing due to lack of potential solution in the near future

3. Notable reports triaged this week

---

Fri, 12 January 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @Dshiv, @andMYhacks, @jquinard, @EdisK, @chrashley-
Attendees (other than the above): @FatihEgbatan, @raels, @rwilliamson2011, @danielhtrauner, @CarlosSimas28, @shpendk, @shipcod3, @SwayzeSlacks85

Agenda items:

1. Add Stored XSS with user interaction #123
   Positive response from the team. Awaiting further review and input in the issue regarding best classification

2. Add VRT to Remediation mapping #116
   Project is moving forward and needs volunteers for review/updates

3. Notable reports triaged this week

---

Fri, 5 January 2018 18:00:00 UTC

Host: @plr0man
Minutes by: @dshiv
Active participants (other than the above): @shipcod3, @jquinard, @dshiv, @EdisK
Attendees (other than the above): @FatihEgbatan, @raels, @rwilliamson2011, @Tcune, Robert Treder

Agenda items:

1. Folder Permissions in Thick Clients #121
   This class of reports will be closely evaluated and the VRT will be adjusted if necessary based on near future experience

2. DLL Hijacking should be P2 or P3 #118
   Discussion in progress can be viewed in the issue

3. Notable reports triaged this week

---

Fri, 29 December 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @plr0man
Active participants (other than the above): @SwayzeSlacks85, @jquinard, @rwilliamson2011
Attendees (other than the above): @shipcod3, @FatihEgbatan, @ryancblack, @danielhtrauner, @raels

Agenda items:

1. DLL Hijacking should be P2 or P3 #118
   Discussion will continue next week due to the holiday season

2. Add Flash-based Cross-Site Scripting (XSS) as P4 #120
   It’s tempting to add an entry here, but it doesn’t seem to be the right solution for the problem. Currently this kind of additional prerequisites are considered by the ASE/customer during triage and the default severity can be downgraded based on context. More info in #72

3. Folder Permissions in Thick Clients #121
   Discussion will continue next week due to the holiday season

4. Chaining vulnerabilities might require additional researcher documentation

---

Fri, 15 December 2017 18:00:00 UTC

Host: @ryancblack
Minutes by: @jquinard

Active participants (other than the above): @shpendk, @ryancblack

Attendees (other than the above): @SwayzeSlacks85, @Tcune, @Dshiv, @shipcod3, @EdisK, @paragbaxi, @CarlosSimas28, @brenthaas, @rwilliamson2011, @FatihEgbatan, @samhoustonbc, Devin Riley, @danielhtrauner, Grant McCracken

Agenda items:

1. DLL Hijacking should be P2 or P3 #118
   Possibly have 2 variants? One high (P2/P3) and one P5. Keeping conversation open.

2. Notable reports triaged this week

---

Fri, 8 December 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @CarlosSimas28
Active participants (other than the above): @EdisK, @jquinard, @shipcod3, @barnett
Attendees (other than the above): @SwayzeSlacks85, @shpendk, @Tcune, @Dshiv, @raels, @VinceMHernandez

Announcements: We are excited to announce that VRT to CWE mapping is complete now

Agenda items:

1. Update all VRT to CWE mappings #115
   Successfully implemented CWE mapping

2. Add VRT to Remediation mapping #116
   A new internal PR that will be discussed as soon as we have the resources to approach the implementation

3. Notable reports triaged this week

---

Fri, 1 December 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @ryancblack, @andMYhacks, @shpendk, @EdisK, @SwayzeSlacks85, @jquinard, @FatihEgbatan, @samhoustonbc
Attendees (other than the above):, @rwilliamson2011, @fiid, @Tcune, Patrick Mell, @raels, @adamrdavid, @brenthaas, @CarlosSimas28, @Dshiv

Announcements: We are looking for reviewers for the VRT to CWE mappings

Agenda items:

1. Adding 'Database Management System (DBMS) Misconfiguration' subcategory #110
   We are waiting for any last minute comments by the EOD

2. My concerns with this project as a whole. #111
   General discussion on researcher concerns about the VRT

3. Add VRT to CWE mapping #112
   An important milestone in the mapping between both taxonomies. We are in process of updating the particular mappings, which will be posted as a PR ASAP.

4. Notable reports triaged this week

---

Fri, 17 November 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @CarlosS
Active participants (other than the above): @jquinard, @Tcune, @SwayzeSlacks85, @Dshiv, @ryancblack, @shpendk, @EdisK
Attendees (other than the above): @VinceMHernandez, @shipcod3, @rwilliamson2011, @raels, @fiid

Agenda items:

1. Update 'All Sessions' to 'Concurrent Sessions On Logout’ #109
   There’s a little bit of confusion around what some of the current session invalidation entries stand for. We decided to update this particular variant with a more explicit name

2. Add Source Code Disclosure #107
   Question from a researcher regarding a potential new subcategory. Currently a low priority task, that will be discussed further internally

3. Missing SPF on Email Domain #108
   Question from a researcher regarding a case by case triage. No need for adjustments

4. Notable reports triaged this week

---

Fri, 03 November 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @EdisK
Active participants (other than the above): @shipcod3, @ryancblack
Attendees (other than the above): @jquinard, @SwayzeSlacks85, @VinceMHernandez, @raels, @tommedhurst, @CarlosSimas28, @paragbaxi, @brenthaas, @Dshiv, @rwilliamson2011

Agenda items:

1. Notable reports triaged this week

---

Fri, 27 October 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @chrashley-
Active participants (other than the above): @Dshiv, @jquinard, @shipcod3, @EdisK, @CarlosSimas28
Attendees (other than the above): @SwayzeSlacks85, @brenthaas, @raels, @FatihEgbatan, @paragbaxi, @rwilliamson2011, @ryancblack, @shpendk, @tommedhurst, @VinceMHernandez, @fiid, @Tcune

Announcements: We are looking for volunteers to help with the CWE mapping

Agenda items:

1. Should unauthenticated-only XSS be rated as P3?
   Since this kind of vulnerability provides iframe injection potential, which is currently rated as P3 in the VRT, we will not be considering any updates at this time

2. Should internal SSRF classification have more granularity to promote better PoCs?
   Given the potential high security risk associated with this type of vulnerabilities, we will be leaving current classification as is, incentivising these findings regardless of the researcher’s ability to further exploit it

---

Fri, 20 October 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @FatihEgbatan
Active participants (other than the above): @jquinard, @Dshiv, @jhaddix, @rwilliamson2011, @SwayzeSlacks85, @EdisK, @shipcod3
Attendees (other than the above): @adamrdavid, @CarlosSimas28, @FatihEgbatan, @VinceMHernandez, @katherinel

Announcements: We are looking into potentially expanding the mobile entries in the VRT and any feedback in that regard.

Agenda items:

1. CWE Mapping #99
   Background: Revisiting #33 for CWE now that CVSS (#86) is in.
   Result: We will be implementing the CWE mapping based on JHaddix's team's mapping draft. CVSS and CWE as any other mappings are designed to be in separate files under the mappings folder.

2. Append RTLO to File Extension Filter Bypass #98
   Background: There’s a need to specify RTLO type of issues in the VRT to provide more transparency
   Result: During the internal discussion it was initially agreed to append RTLO to the current variant File Extension Filter Bypass.

---

13 October 2017 18:00:00 UTC    

Host: @CarlosSimas28 Co-host: N/A     Minutes by: @shipcod3    Active participants (other than the above): @rwilliamson2011, @SwayzeSlacks85
Attendees (other than the above): @jquinard, @Dshiv, @jhaddix, @EdisK, @FatihEgbatan, @VinceMHernandez, @Tcune

Agenda Items:

1. Append RTLO to File Extension Filter Bypass #98 Background: There’s a need to specify RTLO type of issues to the VRT for more transparency Result: During an internal discussion we agreed to append RTLO to the current variant File Extension Filter Bypass.

---

Fri, 06 October 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @VinceMHernandez
Active participants (other than the above): @CarlosSimas28, @SwayzeSlacks85, @shipcod3, @jhaddix, @chrashley-
Attendees (other than the above): @Dshiv, @FatihEgbatan, @shpendk, @raels

Announcements: This week the hacking guru and Head of Trust and Security at Bugcrowd, Jason Haddix is sharing his recent experiences with our platform and programs from a researcher perspective

Agenda items:

1. Second Factor Authentication Bypass Proposal #94
   Background: Previously reported issue and we currently have a "Weak 2FA Implementation" entry that is context based.
   Context based seems appropriate and we will await any further feedback from other researchers.

---

Fri, 29 September 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @shipcod3
Active participants (other than the above): @shpendk, @FatihEgbatan, @rwilliamson2011, @chrashley-, @VinceMHernandez Attendees (other than the above): @jquinard, @SwayzeSlacks85, @raels, @tommedhurst, @Tcune, @CarlosSimas28

Announcements: The Vulnerability Roundtable will be held on Fridays as of today

Agenda items:

1. SQL Injection priorities #92
   Background: A researcher is proposing adding a new Union-based SQL Injection entry.
   We are considering removing both SQL Injection subcategories and leaving one SQL Injection P1 category. This has to be further discussed.

2. Add "Token is Not Invalidated After Login" variant under "Weak Password Reset Implementation" #89
   Background: Not an often reported issue which appears to be a P5
   We agreed that adding this entry to the VRT will be beneficial for both the researchers and the ASEs.

---

Mon, 18 September 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @Dshiv
Active participants (other than the above): @CarlosSimas28, @jquinard, @shpendk, @SwayzeSlacks85
Attendees (other than the above):, @EdisK, @shipcod3, @Timmehs, @VinceMHernandez, @FatihEgbatan, @Tcune, @ryancblack

Announcements: This week we are updating the readme to include the minutes and more information on how we use the VRT

Agenda items:

1. Add UXSS for browser plugins and browser #85
   Background: A researcher would like to introduce a new VRT entry because he does not agree with the rating on his submission
   As much as we agree that certain UXSS issues could be rated higher than the default P4, those are exceptions. Since the VRT gives us the flexibility of adjusting the default rating, we do not feel that there’s a need to add a new entry in this case.

2. Add CVSS mapping #86
   Background: Breaking ground for mapping the VRT to various classifications/taxonomies A lot of work has been done here and this PR is almost ready to merge. CVSS and CWE mappings have been separated from the main VRT file and are going to be implemented in a separate directory. We are looking for volunteers to review this PR.

3. Added second factor bypass subcategory #87
   Background: A researcher is proposing adding 2FA bypass as a P2 entry
   We currently have an entry that is context based and seems to be appropriate given the varying security risk.

4. Other discussion:
   Should the Bugcrowd’s main VRT page be updated with more explanation on how we use the VRT?

---

Mon, 11 September 2017 18:00:00 UTC

Host: @plr0man
Minutes by: @Tcune
Active participants (other than the above): @CarlosSimas28, @jhaddix, @EdisK
Attendees (other than the above): @adamrdavid, @shpendk, @danielhtrauner, @FatihEgbatan, @shipcod3, @jquinard, @maschwenk, @rwilliamson2011, @SwayzeSlacks85, @Timmehs, @VinceMHernandez

Announcements: Introducing VRT duty: one ASE per week on rotation will be responsible for the Vulnerability Roundtable minutes and ongoing PR reviews.

Agenda items:

1. Mapping to CWE and CVSS #33
   The engineering team is getting ready to release the CVSS/CWE mappings. We’re looking for volunteers to review the upcoming updates. The updates should be done by the middle of the week by @plr0man, the review should be completed by the EOW.

2. Add Bitsquatting classification to VRT #82
   Background: We have seen numerous reports of Bitsquatting across our programs.
   Priority Verdict: Unanimously P5 - Informational. It is a low risk hardware issue affecting computer memory and will not be considered as vulnerability in clients’ software. We will be verifying if the reported domain is not owned by the client and checking if it is a Bitsquatting domain to determine if the report qualifies as applicable.
   Category Verdict: To be discussed in the Issue

3. Broken Link Hijacking #84
   Background: Good writeup. However we do not see the need to add/change any entries as it looks like current entries are sufficient to classify all potential scenarios. Important note is that the researchers have to provide evidence similar as in case of subdomain takeover.

---

Mon, 28 August 2017 18:00:00 UTC

Host: @plr0man
Co-host: @CarlosSimas28
Minutes by: @jquinard
Active participants (other than the above): @shipcod3, @rwilliamson2011, @SwayzeSlacks85, @ryancblack
Attendees (other than the above): @EdisK, @chrashley-, @FatihEgbatan, @shpendk, @VinceMHernandez, @Dshiv

Announcements: We are beginning to publish minutes from the VRT oriented part of the Vulnerability Roundtable

Agenda items:

1. Adding Missing DNS CAA Record Classification #78
   Background: Numerous submissions being recently made across our programs
   Verdict: Unanimously P5 - Informational due to the defense-in-depth nature of this security mechanism.

2. Adding TapJacking classification to VRT #79
   Background: A class of issues that was being looked into as a potential P4, similar to Clickjacking
   Verdict: Unanimously P5 - Informational due to multiple prerequisites, mainly the need of being performed on an unpatched Android Marshmallow or earlier unsupported versions.