Bugcrowd has announced updates to its Vulnerability Rating Taxonomy (VRT), which categorizes and prioritizes crowdsourced vulnerabilities.
The new update specifically addresses vulnerabilities in Large Language Models (LLMs) for the first time. The VRT is an open-source initiative aiming to standardize how suspected vulnerabilities reported by hackers are classified.
“This new release of VRT not only opens up a new form of offensive security research and red teaming to program participants, but it helps companies increase their scope to include these additional attack vectors,” said Ads Dawson, senior security engineer for LLM platform provider Cohere and a key contributor to the release. “I am looking forward to seeing how this VRT release will influence researchers and companies looking to fortify their defenses against these newly introduced attack concepts.”
In 2016, Bugcrowd launched VRT, initially developed as an in-house tool. It has since become an open-source project for collaboration among Bugcrowd’s customers, application security engineers, and researchers. The VRT serves as a shared framework for assessing the severity of cybersecurity risks, and adapting to the evolving threat landscape.
Bugcrowd’s VRT establishes a baseline technical severity rating for common vulnerability classes, considering potential variations in edge cases. This rating is determined by Bugcrowd’s application security engineers, who begin with widely-accepted industry guidelines. They then factor in the vulnerability’s average acceptance rate, average priority, and its frequency on business use case-specific exclusions lists across all Bugcrowd programs to arrive at the baseline technical severity rating.