undefined | Better HN

0 pointstptacek5y ago0 comments

I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

0 comments

jsploit5y ago

CVSS being used as a basis for bounty payments is certainly evidence that it is taken seriously. Of course there are details that have to be factored in after that calculation, since CVSS is simplified for general usage.

I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".

j / k navigate · click thread line to collapse

0 pointstptacek5y ago0 comments

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

0 comments

jsploit5y ago

I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".

j / k navigate · click thread line to collapse