Navigating CVSS Objections in Bug Bounty Programs: Guidelines for Security Researchers and Companies

Bug bounty programs are an effective way to improve an organization’s cybersecurity posture by incentivizing security researchers to identify and report vulnerabilities in their systems. However, in such programs, the Common Vulnerability Scoring System (CVSS) is used as the primary severity selection method, which can sometimes result in disagreements between security researchers and the companies offering the bug bounty.

If you find yourself in such a situation, where you need to object to the CVSS score, it is important to follow some guidelines to ensure that the objection is considered fairly and effectively. Here are some rules to keep in mind:

1. Each bug submission should be treated separately, and objections should be clearly indicated as a separate entry without referring to other submissions or evaluations.
2. Instead of objecting to the end result (CVSS score), objections should be made to the parameters within CVSS that led to the score. This will help the platform validators and triage team better understand the reasoning behind the objection and the proposed solution.
3. If the objection is related to more than one parameter, each parameter should be explained separately in a separate paragraph.

When objecting to a CVSS parameter, the following information should be provided:

1. The name of the parameter that you are objecting to.
2. The current value of that parameter.
3. Your proposed value of that parameter. (User can check the post on detailed information on CVSS parameters)
4. An explanation of why the value should be what you are proposing.

It is important to remember that CVSS is a useful tool for understanding the overall priority of a bug, but it is not perfect and may not always accurately reflect the severity of a vulnerability. Therefore, it is important to communicate effectively and transparently when objecting to a CVSS score.

Bug bounty programs can greatly benefit both security researchers and companies, but disagreements can sometimes arise. By following these guidelines, objections can be handled in an open, ethical, and transparent manner, and the cybersecurity posture of the organization can be further strengthened.

BugBounter: Your Trusted Bug Bounty Platform

BugBounter democratizes access to cyber security expertise by providing comprehensive security testing and vulnerability assessment services to businesses and organizations, regardless of their size or budget. With a diverse and expert cyber security researcher of more than 4.000 ethical hackers, and a guaranteed ROI, BugBounter can be trusted partner in cyber security.
Get a demo today.