Vulnerability Rating Taxonomy for LLMs


Bugcrowd has announced updates to the Vulnerability Rating Taxonomy (VRT) that define and prioritize crowdsourced vulnerabilities in Large Language Models (LLMs) for the first time.

The VRT is an ongoing open-source effort to standardize how hacker submissions of suspected vulnerabilities are reported in an industry-standard way, and is implemented in the Bugcrowd Platform for use by hackers, customers, and Bugcrowd’s application security engineers.

This latest VRT release, which was partly inspired by the OWASP Top 10 for Large Language Model Applications, marks a milestone for the crowdsourced cybersecurity industry because it gives customers and hackers a shared understanding of how LLM-related vulnerabilities are classified and prioritized. Armed with this information, hackers can focus on hunting for specific vulnerabilities and creating targeted proofs-of-concept, while program owners with LLM-related assets can design project scoping and rewards that produce the best outcomes.

In 2016, Bugcrowd created the VRT, which is now an open-source project for customers, Bugrowd application security engineers, and researchers to collaborate on a shared understanding of risk severity. The VRT is designed to constantly evolve in order to mirror the current threat environment. Since the VRT’s creation, hundreds of thousands of vulnerability submissions have been created, validated, triaged, and accepted by program owners on the Bugcrowd Platform.

“Although AI systems can have well-known vulnerabilities that are found in common web applications, AI technologies like LLMs have introduced unprecedented security challenges that our industry is only beginning to understand and document,” said Casey Ellis, Founder and Chief Strategy Officer of Bugcrowd.

“This new release of VRT not only opens up a new form of offensive security research and red teaming to program participants, but it helps companies increase their scope to include these additional attack vectors,” said Ads Dawson, senior security engineer for LLM platform provider Cohere and a key contributor to the release. “I am looking forward to seeing how this VRT release will influence researchers and companies looking to fortify their defenses against these newly introduced attack concepts.”

“At Bugcrowd, we believe that the human ingenuity unleashed by crowdsourced security is the best tool available for meeting AI security goals in a scalable, impactful way that provides more visibility into security ROI,” said Dave Gerry, Chief Executive Officer of Bugcrowd. “With these AI security-related updates to the VRT, the Bugcrowd Platform is positioned as the leading option for meeting that goal.”