| HN Mirror

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L...

Do you disagree with the severity? I assess it to have a 6.5 (medium) CVSS score.

I realise it’s a medium on that scale and I cannot argue otherwise.

But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.

If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.

CVSS is a ouija board and you can make it say whatever you want, which is why very few practitioners take it seriously.

Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).

I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

CVSS being used as a basis for bounty payments is certainly evidence that it is taken seriously. Of course there are details that have to be factored in after that calculation, since CVSS is simplified for general usage.

I'm not aware of any programs on HackerOne that don't follow this practice, so it's not "super uncommon".

wglb 2115 days ago

I've been in security for a while and once received a report of a CVSS score that was egregiously high at Critical.

I modified the assumptions that were made by the reporter and came out with Low.

This is one example of why this is a nonsense metric.

Any metric is nonsense if used improperly.

wglb 2115 days ago

I am arguing that there is no proper way to use this.

refulgentis 2114 days ago

Any ouija board lies with the wrong seance supervisor

That's a pretty normal price for an XSS.

Dropbox and co pay $10,000 for the same exploit.

Then you should sell it to Dropbox, because $10,000 is extremely high for an XSS vulnerability.

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

KajMagnus 2114 days ago

Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead