Skip to content

Releases: bugcrowd/vulnerability-rating-taxonomy

v1.18 - 2026-03-09

06 Mar 09:09
@abhinav-nain abhinav-nain
v1.18
5a74938
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.18 - 2026-03-09 Latest
Latest

Other

  • Added support for CVSS V4 scoring
Assets 2
Loading

v1.17 - 2025-08-19

18 Aug 18:35
@abhinav-nain abhinav-nain
v1.17
eb57585
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.17 - 2025-08-19

Added

  • Cloud Security - Identity and Access Management (IAM) Misconfigurations - Overly Permissive IAM Roles - P2
  • Cloud Security - Identity and Access Management (IAM) Misconfigurations - Publicly Accessible IAM Credentials - P1
  • Cloud Security - Storage Misconfigurations - Publicly Accessible Cloud Storage - Varies
  • Cloud Security - Storage Misconfigurations - Unencrypted Sensitive Data at Rest - P2
  • Cloud Security - Network Configuration Issues - Open Management Ports to the Internet - P3
  • Cloud Security - Network Configuration Issues - Lack of Network Segmentation - P3
  • Cloud Security - Misconfigured Services and APIs - Exposed Debug or Admin Interfaces - Varies
  • Cloud Security - Misconfigured Services and APIs - Insecure API Endpoints - P4
  • Cloud Security - Logging and Monitoring Issues - Disabled or Insufficient Logging - P5
  • Server-Side Injection - Exposed Data - Non-Sensitive Data - P5
  • Server-Side Injection - Exposed Data - Sensitive Data - Varies
  • Server Security Misconfiguration - Exposed Portal - Protected - P5
  • Server Security Misconfiguration - Exposed Portal - Admin Portal - P1
  • Server Security Misconfiguration - Exposed Portal - Non-Admin Portal - P3

Removed

  • Server Security Misconfiguration - Exposed Admin Portal - To Internet
Loading

v1.16 - 2025-06-23

20 Jun 11:56
@abhinav-nain abhinav-nain
v1.16
6211aad
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.16 - 2025-06-23

Added

  • Broken Access Control (BAC) - Bypass of Password Confirmation - Change Password - P4
  • Sensitive Data Exposure - GraphQL Introspection Enabled - P5
  • AI Application Security - Training Data Poisoning - Backdoor Injection / Bias Manipulation - P1
  • AI Application Security - Model Extraction - API Query-Based Model Reconstruction - P1
  • AI Application Security - Sensitive Information Disclosure - Cross-Tenant PII Leakage/Exposure - P1
  • AI Application Security - Sensitive Information Disclosure - Key Leak - P1
  • AI Application Security - Remote Code Execution - Full System Compromise - P1
  • AI Application Security - Remote Code Execution - Sandboxed Container Code Execution - P2
  • AI Application Security - Prompt Injection - System Prompt Leakage - P2
  • AI Application Security - Vector and Embedding Weaknesses - Embedding Exfiltration / Model Extraction - P2
  • AI Application Security - Vector and Embedding Weaknesses - Semantic Indexing - P3
  • AI Application Security - Denial-of-Service (DoS) - Application-Wide - P2
  • AI Application Security - AI Safety - Misinformation / Wrong Factual Data - P4
  • AI Application Security - Insufficient Rate Limiting - Query Flooding / API Token Abuse - P4
  • AI Application Security - Denial-of-Service (DoS) - Tenant-Scoped - P4
  • AI Application Security - Adversarial Example Injection - AI Misclassification Attacks - P4
  • AI Application Security - Improper Output Handling - Cross-Site Scripting (XSS) - P3
  • AI Application Security - Improper Output Handling - Markdown/HTML Injection - P4
  • AI Application Security - Improper Input Handling - ANSI Escape Codes - P5
  • AI Application Security - Improper Input Handling - Unicode Confusables - P5
  • AI Application Security - Improper Input Handling - RTL Overrides - P5

Removed

  • AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
  • AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
  • AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
  • AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2

Other

  • Removed CVSS score for VRT entries with 'VARIES' priority, and added default CVSS (0 score) wherever missing.
  • Fixed 'deprecated-node-mapping.json' file to reflect the correct format and fill in missing values.
Loading

v1.15.1 - 2025-03-11

11 Mar 11:29
@abhinav-nain abhinav-nain
v1.15.1
6f8e8d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.15.1 - 2025-03-11

Added

  • Server Security Misconfiguration - Cache Deception - Varies

Other

  • Fixed minor issues with deprecated-node-mapping.json file.
  • Adding missing issues from deprecated-node-mapping.json file.
Loading

v1.15 - 2025-02-12

12 Feb 10:48
@abhinav-nain abhinav-nain
v1.15
33c1704
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.15 - 2025-02-12

Added

  • Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key - P1
  • Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure - Varies
  • Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation - Varies
  • Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack - Varies
  • Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation - Varies
  • Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error - Varies
  • Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance - Varies
  • Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover - P1
  • Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer - P1
  • Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation - P1
  • Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer - P2
  • Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation - P2
  • Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass - P3
  • Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals - Varies
  • Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic - Varies
  • Decentralized Application Misconfiguration - Marketplace Security - Denial of Service - Varies
  • Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service - P1
  • Protocol Specific Misconfiguration - Frontrunning-Enabled Attack - P2
  • Protocol Specific Misconfiguration - Sandwich-Enabled Attack - P2
  • Protocol Specific Misconfiguration - Misconfigured Staking Logic - Varies
  • Protocol Specific Misconfiguration - Improper Validation and Finalization Logic - Varies
  • Smart Contract Misconfiguration - Reentrancy Attack - P1
  • Smart Contract Misconfiguration - Smart Contract Owner Takeover - P1
  • Smart Contract Misconfiguration - Uninitialized Variables - P1
  • Smart Contract Misconfiguration - Unauthorized Transfer of Funds - P1
  • Smart Contract Misconfiguration - Integer Overflow / Underflow - P2
  • Smart Contract Misconfiguration - Unauthorized Smart Contract Approval - P2
  • Smart Contract Misconfiguration - Irreversible Function Call - P3
  • Smart Contract Misconfiguration - Function-level Denial of Service - P3
  • Smart Contract Misconfiguration - Malicious Superuser Risk - P3
  • Smart Contract Misconfiguration - Improper Fee Implementation - P3
  • Smart Contract Misconfiguration - Improper Use of Modifier - P4
  • Smart Contract Misconfiguration - Improper Decimals Implementation - P4
  • Smart Contract Misconfiguration - Inaccurate Rounding Calculation - Varies
  • Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks - Varies
  • Zero Knowledge Security Misconfiguration - Missing Constraint - Varies
  • Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths - Varies
  • Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup - Varies
  • Zero Knowledge Security Misconfiguration - Missing Range Check - Varies
  • Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic - P1
  • Zero Knowledge Security Misconfiguration - Deanonymization of Data - P1
  • Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic - Varies
  • Broken Authentication and Session Management - SAML Replay - P5

Changed

FROM:

  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - P1
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers - P2
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers - P3
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - P4
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information - P5

TO:

  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Iterable Object Identifiers) - P1
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify Sensitive Information(Iterable Object Identifiers) - P2
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Sensitive Information(Iterable Object Identifiers) - P3
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID) - P4
  • Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Non-Sensitive Information - P5

Other

  • CVSS Score correction for Server Security Misconfiguration - Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain - P4.
  • All JSONs, i.e., VRT and its mapping JSONs are now alphabetically sorted.
  • Internal library changes to add a new helper script that aids in sorting the JSONs.
Loading

v1.14.2 - 2024-10-25

25 Oct 08:05
@rohit-bugcrowd rohit-bugcrowd
v1.14.2
5c0a021
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.14.2 - 2024-10-25

Removed

  • Server Security Misconfiguration - Misconfigured DNS - High Impact Subdomain Takeover: P2

Changed

From:

  • Server Security Misconfiguration - Misconfigured DNS - Basic Subdomain Takeover: P3

To:

  • Server Security Misconfiguration - Misconfigured DNS - Subdomain Takeover: P3
Loading

v1.14.1 - 2024-07-18

17 Jul 08:58
@rohit-bugcrowd rohit-bugcrowd
v1.14.1
e8949bc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.14.1 - 2024-07-18

Changed

  • vulnerability-rating-taxononomy.json correction
Loading

v1.14 - 2024-07-09

08 Jul 13:40
@abhinav-nain abhinav-nain
v1.14
bef50bb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.14 - 2024-07-09

Added

  • Server Security Misconfiguration - Email verification bypass - P5
  • Server Security Misconfiguration - Missing Subresource Integrity - P5
  • Sensitive Data Exposure - Token Leakage via Referer - Password Reset Token - P5
  • Server Security Misconfiguration - Software Package Takeover - VARIES
  • Broken Access Control (BAC) - Privilege Escalation - VARIES
  • Data Biases - Representation Bias - VARIES
  • Data Biases - Pre-existing Bias - VARIES
  • Algorithmic Biases - Processing Bias - VARIES
  • Algorithmic Biases - Aggregation Bias - VARIES
  • Societal Biases - Confirmation Bias - VARIES
  • Societal Biases - Systemic Bias - VARIES
  • Misinterpretation Biases - Context Ignorance - VARIES
  • Developer Biases - Implicit Bias - VARIES

Removed

  • Broken Authentication and Session Management - Privilege Escalation - VARIES
Loading

v1.13 - 2024-04-02

03 Apr 10:38
@abhinav-nain abhinav-nain
v1.13
c39d933
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13 - 2024-04-02

Added

  • Physical Security Issues - Bypass of physical access control - VARIES
  • Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
  • Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
  • Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
  • Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
  • Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
  • Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
  • Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
  • Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
  • Insecure OS/Firmware - Shared Credentials on Storage - P3
  • Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
  • Insecure OS/Firmware - Local Administrator on default environment - P2
  • Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
  • Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
  • Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
  • Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
  • Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5
Loading

v1.12 - 2023-12-18

14 Dec 10:32
@jhas3c jhas3c
v1.12
10397d0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12 - 2023-12-18

Added

  • Application Level DoS - Excessive Resource Consumption - Injection (Prompt) - VARIES
  • AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
  • AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
  • AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
  • AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2
Loading