BIPI
BIPI

Bug Bounty Severity Calibration: CVSS 3.1 in the Real World

Cybersecurity

CVSS is imperfect, but it is the language programs speak. The trick is using it to justify your severity without overreaching. Here is how to set each metric honestly, when to push back on triage, and the recurring vectors for common bug classes.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 26, 2023 · 9 min read

#bug-bounty#cvss#severity#triage#reporting

CVSS is a contract, not a verdict

Programs use CVSS to map bugs to bounty tiers. They will override you, but a well-justified vector forces them to argue specifics, which is where you win.

The eight base metrics, briefly

  • AV, attack vector, network, adjacent, local, physical
  • AC, attack complexity, low or high
  • PR, privileges required, none, low, high
  • UI, user interaction, none or required
  • S, scope, unchanged or changed
  • C, I, A, confidentiality, integrity, availability impact, none, low, high

Where hunters routinely overreach

  1. AV network when the attack needs the same LAN, that is adjacent
  2. PR none when the attack needs a logged-in user, that is low
  3. UI none when the attack needs the victim to click, that is required
  4. S changed when the impact stays within the same security authority

Where hunters routinely underreach

  • S changed when an XSS in tenant A reaches admin in tenant B
  • C high for partial data when the partial data includes credentials
  • I high for any persistent admin action, do not call password reset I low

Recurring vectors for common classes

  • Stored XSS leading to ATO, AV N AC L PR L UI R S C C H I H A N, often 8.0 to 9.0
  • IDOR reading PII, AV N AC L PR L UI N S U C H I N A N, around 6.5
  • SSRF reaching cloud metadata, AV N AC L PR L UI N S C C H I H A L, around 9.6
  • Unauthenticated RCE, the classic 9.8 to 10.0
  • Reflected XSS with low impact, around 6.1 by default

Temporal and environmental metrics

Most programs ignore these. Skip them in your report unless the program asks. Stick to base score and one line of impact narrative.

When the program disagrees

Reply with the specific metric you dispute and a one-sentence argument. Do not relitigate the whole vector. Programs respond well to focused pushback, badly to general complaints.

When CVSS undersells your bug

Some bugs score low on CVSS but matter a lot, business logic flaws that move money, for example. Add a business impact section that translates the bug into dollars or compliance violations, separate from the CVSS score.

Tool, the official calculator

Use the first.org CVSS 3.1 calculator, pre-fill your values, paste the resulting URL into your report. Triagers can click and tweak rather than retype.

CVSS will not save a weak report. But a strong report with a wrong CVSS will get pulled into a long, unnecessary argument. Get the vector right the first time.

A note on CVSS 4.0

Some programs are starting to accept CVSS 4.0 scoring. Until your target's program guidelines explicitly require it, stick with 3.1, that is what most platforms still automate against.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.