How do you assess the severity of a report using the CVSS calculator? How can you write a good report? Security Analyst, Lennaert Oudshoorn, wrote down some tips and tricks.

First of all, what is CVSS? CVSS stands for the Common Vulnerability Scoring System, and is a free and open industry standard developed by first.org for assessing the severity of computer system security vulnerabilities. In Bug Bounty this standard is often used for just that, to measure the severity of the reported vulnerability. To have your report smoothly triaged it is important to correctly set the score, and in order to do so you should know the different metrics and what each of the options means. 

What are the categories of the CVSS scores?

CVSS scores are divided into five categories:

• None, a score of 0.0 (Informational in the Zerocopter Platform)

• Low, a score between 0.1 and 3.9

• Medium, a score between 4.0 and 6.9

• High, a score between 7.0 and 8.9

• Critical, a score between 9.0 and 10.0

When submitting a finding on the Zerocopter platform you see an option called the “CVSS Calculator” while writing your report, clicking this button will open the calculator:

Here you see the different metrics that the system uses to calculate the severity score of your vulnerability. These metrics are as follows:

You can read more about these metrics and their possible options in the CVSS specification document.

Let’s look at an example and fill in the calculator for a reflected cross-site scripting vulnerability. 

• The Attack Vector is Network, as the attacker doesn’t need to be on the same network as the victim or have Physical access.

• The Attack Complexity is Low, when a browser loads the payload, it will always execute. 

• The Privileges Required are None, the attacker doesn’t need to be authenticated to send the victim a URL with the payload in it. 

• User Interaction is required, the victim does need to click the link. 

• The Scope has changed, as the vulnerable component is the website, but the impacted component is the user’s web browser that executes the payload.

From the Impact Metrics (Confidentiality, Integrity, Availability) the Confidentiality is highly impacted, as the attacker can gain access to a victims cookies and take over a session, the impact on the Integrity is low, as the attacker can redraw the DOM but only for a single viewer, and no stored data on the website is impacted by this attack. There is no impact to the availability of the system. 

There are more great examples of how to use the calculator and how to score vulnerabilities here.

As you can see in the image above, the calculator has come to a score of 8.2, a high impact vulnerability. It also shows what is called a vector string, a textual representation of the CVSS Score, in this case: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

How to write a high quality report?

To write a high quality report, it should be complete, and a complete report has the following:

• A description of the vulnerability: The description should outline the vulnerability and what the potential impact is.‍

• Steps to reproduce : The steps to reproduce the vulnerability should be clear and concise, because triage and security teams need to have all the details to verify and validate the reported vulnerability. Clear steps to reproduce the issue and a working Proof Of Concept (POC) are required, without these a report can’t be accepted. Screenshots and videos can help in explaining the required steps, but are not a replacement for the written reproduction steps. ‍

• A suggestion for possible solutions: This is greatly appreciated by our clients, but we understand that sometimes it’s impossible to give this advice without internal knowledge about the affected systems.

Of course, it is also important that the report is readable and understandable, so we always advise you to read through it once more before submitting. And we will talk about that in our next blog! Stay tuned!