Skip to content

Add CVSS 4 mapping#489

Merged
arcwhite merged 5 commits into
masterfrom
add-cvss-4-mapping
Feb 24, 2026
Merged

Add CVSS 4 mapping#489
arcwhite merged 5 commits into
masterfrom
add-cvss-4-mapping

Conversation

@arcwhite

@arcwhite arcwhite commented Feb 2, 2026

Copy link
Copy Markdown
Contributor

Adds support for CVSS4, by the same pattern established with CVSS3 mappings.

These mappings are used internally at Bugcrowd to auto-suggest CVSS vectors to customers who want to use them. Like the VRT itself, these suggestions are not final determinations, but a starting point for a conversation or line of thinking.

Some CVSS attributes require specific detail about the vulnerability or weakness being discussed. For example, AT (Attack Requirements) - it's very difficult to use anything but AT:N without knowing more about the system being tested.

Similarly, UI (User Interaction) is a bit of a dice-roll for a VRT item, and in a specific case may be UI:P or UI:A. For some VRT items this mapping is pretty easy, for others it's nigh-impossible for us to decide here.

You can re-generate the mappings using python lib/generate_cvss_v4.py. That script serves as a write-up of my thinking for some of these translations, and if you disagree with them, that's probably where your disagreement should go!

You can use python lib/cvss_v4_export.py to see a side-by-side of VRT items, their suggested priority, and the suggested CVSS4 vector and resulting score. This is probably a good way to eyeball any discrepancies or anything that might be missing.

arcwhite and others added 4 commits February 2, 2026 14:39
We're adding support for CVSS4 vectors, which means we should have refreshed and updated default vector suggestions for VRT items.
Using our CVSS3 mappings as a base, and making some philosophical choices about how new CVSS attributes get applied, we generate CVSS4 mappings using a script that we can run again in the future if we need to (we're encoding our choices repeatably).

As part of this exercise I discovered a few newer VRT items that never received a CVSS mapping at all, and I make some educated guesses about what those should be, but these choices definitely need reviewing by someone with more security expertise than I.

@nnons nnons left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor code changes and some VRT compat scripts. LGTM

@arcwhite arcwhite merged commit 2624b12 into master Feb 24, 2026
5 checks passed
@arcwhite arcwhite deleted the add-cvss-4-mapping branch February 24, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants