Bugcrowd Implements AI Vulnerability Rating Taxonomy for Large Language Models

Multi-solution crowdsourced cybersecurity platform Bugcrowd announced updates to the Vulnerability Rating Taxonomy (VRT), for defining and prioritizing crowdsourced vulnerabilities in Large Language Models (LLMs) for the first time.

The VRT is an ongoing open-source effort to standardize how hacker submissions of suspected vulnerabilities are reported in an industry-standard way, and is implemented in the Bugcrowd Platform for use by hackers, customers and Bugcrowd’s application security engineers.

This latest VRT release, which was partly inspired by the OWASP Top 10 for Large Language Model Applications, marks a milestone for the crowdsourced cybersecurity industry because it gives customers and hackers a shared understanding of how LLM-related vulnerabilities are classified and prioritized. Armed with this information, hackers can focus on hunting for specific vulnerabilities and creating targeted proofs-of-concept, while program owners with LLM-related assets can design project scoping and rewards that produce the best outcomes.

In 2016, Bugcrowd created the VRT, which is now an open-source project for customers, Bugcrowd application security engineers, and researchers to collaborate on a shared understanding of risk severity. The VRT is designed to constantly evolve in order to mirror the current threat environment. Since the VRT’s creation, hundreds of thousands of vulnerability submissions have been created, validated, triaged and accepted by program owners on the Bugcrowd Platform.

“Although AI systems can have well-known vulnerabilities that are found in common web applications, AI technologies like LLMs have introduced unprecedented security challenges that our industry is only beginning to understand and document,” said Casey Ellis, founder and Chief Strategy Officer, Bugcrowd.

“At Bugcrowd, we believe that the human ingenuity unleashed by crowdsourced security is the best tool available for meeting AI security goals in a scalable, impactful way that provides more visibility into security ROI,” said Dave Gerry, Bugcrowd’s CEO. “With these AI security-related updates to the VRT, the Bugcrowd Platform is positioned as the leading option for meeting that goal.”

To learn more about how the Bugcrowd Platform, click here.