Comments (4)
I believe we should clarify the single entry with -Sensitive Data Exposure->Visible Detailed Error/Debug Page
.
The intent is to reduce confusion and there is not a sufficient difference between these details to warrant another variant for tracking purposes.
from vulnerability-rating-taxonomy.
I think Sensitive Data Exposure->Visible Detailed Error Page is playing it's part well, because many times researchers would submit reports about displaying error pages and they are really not interested in understanding if they content being displayed over there is sensitive or not.
Hence, leaving this entry over there and creating a new subcategory for "Sensitive Data Exposure->Visible Detailed Error/Debug Page" would be good so that we can refer them to a P5 or P4 accordingly.
from vulnerability-rating-taxonomy.
I agree with @ryancblack. The intent is to reduce confusion when classifying all kinds of debug, error, or other kinds of page/content that should not be accessible in a production environment. Therefore current entry's naming adjustment seems to make most sense especially since the priority will be context based (null) regardless of the implementation.
If nobody else feels strongly about creating a dedicated subcategory (option 2), then please share any better naming adjustment ideas, there might be something more elegant than 'Visible Detailed Error/Debug Page'.
from vulnerability-rating-taxonomy.
Implemented in #8
from vulnerability-rating-taxonomy.
Related Issues (20)
- Addition - HTML Content Injection HOT 1
- Update - PII Leakage updated to Sensitive Information Leak HOT 3
- Why Blind XSS can't be P1 While Massive PII is leakage? HOT 1
- SSRF as it's own top-category HOT 2
- infinite 301 HOT 4
- Text injection - needs higher priority HOT 4
- Content spoofing - needs higher priority HOT 1
- New IDOR Variants HOT 10
- Change of "Sensitive Data Exposure > Disclosure of Secretes > Intentionally Public, Sample or Invalid"
- Add unnecessary open port on server misconfiguration in P1 HOT 1
- Add LLM VRT Entries HOT 11
- Server Security Misconfiguration > Unsafe File Upload > File Extension Filter Bypass should be higher severity HOT 5
- Server side Language And Configured Sensitive Data Blank Files > Disclosure of Secrets > For Public Accessable Assets HOT 1
- read-only IDOR P3 requires differentiation HOT 3
- Update VRT language to remove ambiguity between subcategories HOT 1
- P5 - Server Security Misconfiguration -> Missing Subresource Integrity (SRI) Checks
- Edit/Modify Non-Sensitive Information IDOR should be categorzed as P4
- What priority is account takeover? HOT 1
- VRT Addition - Hardware and Physical Security HOT 5
- Reconsider severity for "Indicators of compromise" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulnerability-rating-taxonomy.