Add CVSS 4 mapping#489
Merged
Merged
Conversation
We're adding support for CVSS4 vectors, which means we should have refreshed and updated default vector suggestions for VRT items. Using our CVSS3 mappings as a base, and making some philosophical choices about how new CVSS attributes get applied, we generate CVSS4 mappings using a script that we can run again in the future if we need to (we're encoding our choices repeatably). As part of this exercise I discovered a few newer VRT items that never received a CVSS mapping at all, and I make some educated guesses about what those should be, but these choices definitely need reviewing by someone with more security expertise than I.
nnons
approved these changes
Feb 24, 2026
nnons
left a comment
There was a problem hiding this comment.
Minor code changes and some VRT compat scripts. LGTM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for CVSS4, by the same pattern established with CVSS3 mappings.
These mappings are used internally at Bugcrowd to auto-suggest CVSS vectors to customers who want to use them. Like the VRT itself, these suggestions are not final determinations, but a starting point for a conversation or line of thinking.
Some CVSS attributes require specific detail about the vulnerability or weakness being discussed. For example, AT (Attack Requirements) - it's very difficult to use anything but AT:N without knowing more about the system being tested.
Similarly, UI (User Interaction) is a bit of a dice-roll for a VRT item, and in a specific case may be UI:P or UI:A. For some VRT items this mapping is pretty easy, for others it's nigh-impossible for us to decide here.
You can re-generate the mappings using
python lib/generate_cvss_v4.py. That script serves as a write-up of my thinking for some of these translations, and if you disagree with them, that's probably where your disagreement should go!You can use
python lib/cvss_v4_export.pyto see a side-by-side of VRT items, their suggested priority, and the suggested CVSS4 vector and resulting score. This is probably a good way to eyeball any discrepancies or anything that might be missing.