Bugcrowd Announces Vulnerability Ratings for LLMs

Bugcrowd has updated its Vulnerability Rating Taxonomy (VRT) with a new rating system to categorize and prioritize vulnerabilities in large language models (LLMs).

Launched in 2016, VRT is an open source initiative that standardizes how vulnerabilities are classified. Used by Bugcrowd and its ecosystem of customer organizations and vulnerability researchers, the VRT provides a framework for assessing the severity of cybersecurity risks. VRT establishes a baseline technical severity rating for common vulnerability classes, considering potential variations in edge cases.

The latest VRT update was partly inspired by the OWASP Top 10 for Large Language Model Applications, according to the company. With this rating system, Bugcrowd's community of vulnerability researchers can focus on hunting for specific vulnerabilities and creating targeted proofs of concept, while program owners with LLM-related assets can design project scoping and rewards that produce the best outcomes, the company said.

“Although AI systems can have well-known vulnerabilities that are found in common web applications, AI technologies like LLMs have introduced unprecedented security challenges that our industry is only beginning to understand and document,” said Casey Ellis, founder and chief strategy officer of Bugcrowd, in a statement.