BIPI
BIPI

Bugcrowd VRT Decoded: Severity Calibration to Maximize Payout

Cybersecurity

Bugcrowd does not pay on CVSS, it pays on the Vulnerability Rating Taxonomy. Learn how the VRT decides P1 to P5, where calibration disputes are won, and how to frame impact so your finding lands at the right tier.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 30, 2023 · 8 min read

#bugcrowd#vrt#severity#bug-bounty#payout

VRT, not CVSS, decides your check

Bugcrowd uses its own Vulnerability Rating Taxonomy, a category tree that maps each finding to a Priority from P1 to P5. CVSS scores you compute mean nothing if the VRT category lands you on P3.

The VRT is public, versioned, and updated. Read it before you submit, and find the exact leaf that matches your finding. If your report cites the wrong leaf, you give triage permission to downgrade.

The four levers that move VRT priority

  • Authentication required, none beats one click beats authenticated.
  • User interaction required, zero click beats one click beats targeted phishing.
  • Asset criticality, production beats staging beats marketing site.
  • Data sensitivity, PII or secrets beats functional data beats public data.

Common downgrade traps

  1. Stored XSS in admin only context, downgraded to P4 because privilege required is high.
  2. SSRF without metadata access, often P3 unless you prove cloud credential reach.
  3. IDOR on low sensitivity data, P4 unless you tie it to PII or financial impact.
  4. Open redirect alone, P5, unless chained into OAuth code theft.
  5. Subdomain takeover on parked domain, P4 unless you prove cookie or trust impact.

Framing impact to hit the right tier

Triage reads your impact paragraph first. Lead with the worst realistic outcome, then prove it with a working PoC. If you write SSRF can be used to scan internal services, you get P3. If you write SSRF reaches IMDS, retrieves IAM credentials, and lists S3 buckets, you get P2 or P1.

When to dispute calibration

Disputes are won on three grounds, wrong VRT leaf selected, missing context that changes the leaf, or a program specific exception in the brief that raises severity. Anything else, including I think this is worth more, will lose.

VRT exceptions in program briefs

  • Program may upgrade certain categories, like PII exposure, by one tier.
  • Program may downgrade certain categories, like self XSS, to out of scope.
  • Program may set a minimum payout floor higher than the VRT default.
  • Always quote the brief in your report so triage cannot miss the exception.

How to write a VRT aligned report

  1. Open with the VRT category and your proposed Priority.
  2. List the authentication, interaction, and asset facts that justify the Priority.
  3. Provide a PoC that demonstrates the worst realistic impact.
  4. Cite any program brief clauses that affect calibration.
  5. Close with remediation that matches the category, not generic advice.
The VRT is a contract. Read it, quote it, and triage will pay you to the letter.

What to do when calibration lands wrong

Reply once, professionally, with the specific VRT leaf you believe applies and the evidence. If triage holds the line, accept and move on. A second dispute almost never wins and it costs you on future calibration calls in the same program.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.