CSV Injection should be in a Higher Priority about vulnerability-rating-taxonomy HOT 5 CLOSED

Hi @Osamax,

Firs of all thank you for taking your time to provide such a good video PoC, that often makes a difference.

Bugcrowd's VRT classifies CSV Injection as accepted risk which is how this kind of issues is recognized by most of the industry (a good reference here). However we do give our customers the opportunity to review P5 issues and upgrade/reward based on their preference. We also leave the ASE's room for occasional upgrades based on critical context as it's the case with the VRT in general.

Hope that helps!

from vulnerability-rating-taxonomy.

Thanks for your reply, but what should i do now? do i have to convince the Program which i reported this vulnerability that this issue is of a higher risk? because one of the Program guy told me that i should file an issue here on github, so i'm a bit confused that what to do next.

from vulnerability-rating-taxonomy.

If you believe that the context of a particular issue is critical enough to warrant upgrading the default priority as an exception you are welcome to make your case in your report. If you believe that you did your best to explain the risk, please accept that the Application Security Engineer validating your submission made a well informed decision.

This GitHub repository is where we shape the VRT. By filing an issue you are debating whether a vulnerability is properly classified by Bugcrowd's Vulnerability Rating Taxonomy.

from vulnerability-rating-taxonomy.

Yes i believe that the context of this issue is critical, which was well explained in the Video POC, and i want to file an issue.

from vulnerability-rating-taxonomy.

I agree, if an application affords you an avenue to deliver command execution on a client - assuming a file is safe to handle because of a inherent trust of the app they are using - CSV injection should be high

from vulnerability-rating-taxonomy.