Aaj Kya Seekhenge?

• CVSS kya hai basics se
• CVSS 3.1 metrics ek ek samjho
• Score calculate karna step by step
• Real vulnerabilities ka CVSS examples
• Common mistakes avoid karo
• CVSS vs Bug Bounty Severity fark

Kyun zaroori hai? CVSS score = Bounty amount ka direct link! Companies CVSS ke basis pe P1/P2/P3/P4 decide karti hain! Ek wrong CVSS claim = Severity downgraded = $3,000 kam bounty! Sahi CVSS = Maximum bounty + credibility!

CVSS Kya Hai? Simple Samjho

CVSS = Common Vulnerability Scoring System

Ek standardized formula jo batata hai:
"Yeh vulnerability kitni dangerous hai?"

Score range: 0.0 — 10.0

0.0       = Koi risk nahi
0.1 - 3.9 = LOW
4.0 - 6.9 = MEDIUM
7.0 - 8.9 = HIGH
9.0 - 10.0= CRITICAL

CVSS 3.1 = Current version (2019 se)
CVSS 4.0 = Latest (2023 se — kuch platforms use kar rahe)

Bug bounty mein CVSS 3.1 standard hai!

PART 1: CVSS 3.1 Metrics Teeno Groups

CVSS mein 3 metric groups hain:

1. BASE Metrics     → Bug ki actual nature
                      (Fixed score — hamesha same)

2. TEMPORAL Metrics → Time-dependent factors
                      (Optional — bounty mein kam use)

3. ENVIRONMENTAL    → Your specific org context
                      (Optional — companies khud set karti)

Bug bounty mein: Sirf BASE metrics = Score!

PART 2: BASE Metrics Ek Ek Samjho

Metric 1: Attack Vector (AV) Kahan Se Attack?

Network (N)        → Internet se attack possible
                     Score contribution: HIGHEST
                     Example: Remote SQLi, SSRF

Adjacent (A)       → Same network se (WiFi, LAN)
                     Score contribution: Medium
                     Example: WiFi packet sniffing

Local (L)          → Physically machine pe hona zaroori
                     Score contribution: Lower
                     Example: Local privilege escalation

Physical (P)       → Physically touch karna zaroori
                     Score contribution: LOWEST
                     Example: USB-based attack

Bug bounty mein 90% bugs: AV:N (Network) = Highest score!

Metric 2: Attack Complexity (AC) Kitna Mushkil?

Low (L)    → Koi special condition nahi
             Attack hamesha kaam karta hai
             Score: Higher ✅
             Example: Direct SQLi, Open IDOR

High (H)   → Special conditions chahiye
             Race condition, specific config, etc.
             Score: Lower
             Example: Race condition exploit

Metric 3: Privileges Required (PR) Auth Chahiye?

None (N)   → Koi login nahi chahiye!
             Score: HIGHEST ✅
             Example: Unauthenticated SQLi

Low (L)    → Normal user account chahiye
             Score: Medium
             Example: IDOR as logged-in user

High (H)   → Admin/privileged account chahiye
             Score: Lower
             Example: Admin-only feature bug

Metric 4: User Interaction (UI) Victim Ko Kuch Karna?

None (N)   → Victim ko kuch nahi karna!
             Attack automatically hota hai
             Score: Higher ✅
             Example: Stored XSS auto-execute

Required (R) → Victim ko click/visit karna padta hai
               Score: Lower
               Example: Reflected XSS (link click)

Metric 5: Scope (S) Sirf Us App Tak Ya Aage?

Unchanged (U) → Attack sirf vulnerable app tak
                Score: Normal
                Example: SQLi sirf us DB tak

Changed (C)   → Attack dusre systems bhi affect kare!
                Score: MUCH HIGHER ✅
                Example: SSRF → Internal network access
                         Container escape → Host server

Scope Changed = Score dramatically badh jaata hai!

Metric 6: Confidentiality Impact © Data Exposure?

None (N)   → Koi data expose nahi
High (H)   → Poora data expose! All files readable!
             Score: Maximum ✅
             Example: /etc/shadow readable
Low (L)    → Kuch data expose, limited access

Metric 7: Integrity Impact (I) Data Change?

None (N)   → Data change nahi ho sakta
High (H)   → Poora data modify/delete possible!
             Score: Maximum ✅
             Example: Admin without auth → delete records
Low (L)    → Limited data modification

Metric 8: Availability Impact (A) Service Down?

None (N)   → Service chalta rehta hai
High (H)   → Complete service crash/DoS!
             Score: Maximum ✅
             Example: Billion laughs XXE → server crash
Low (L)    → Performance degradation, partial impact

PART 3: Score Calculate Karo Real Examples!

Example 1: Unauthenticated SQLi

Vulnerability: SQL Injection — no login required
                Remote database dump possible

Attack Vector:     Network (N)    → Internet se
Attack Complexity: Low (L)        → Direct attack
Privileges Req:    None (N)       → No login!
User Interaction:  None (N)       → No victim needed
Scope:             Unchanged (U)  → Sirf DB affected
Confidentiality:   High (H)       → Full DB exposed
Integrity:         High (H)       → Data modify possible
Availability:      High (H)       → DB crash possible

CVSS Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score: 9.8 — CRITICAL! 🔴
Bounty Expected: $3,000 - $15,000+

Example 2: Stored XSS (Admin Impact)

Vulnerability: Stored XSS in profile bio
               Executes in any visitor's browser
               Admin also affected

Attack Vector:     Network (N)    → Internet se
Attack Complexity: Low (L)        → Simple payload
Privileges Req:    Low (L)        → Need account
User Interaction:  Required (R)   → Victim must visit
Scope:             Changed (C)!   → Other users affected!
Confidentiality:   High (H)       → Cookie steal
Integrity:         Low (L)        → Limited modification
Availability:      None (N)       → No service impact

CVSS Vector:
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CVSS Score: 8.7 — HIGH! 🟠
Bounty Expected: $1,000 - $5,000

Example 3: IDOR (Sensitive Data)

Vulnerability: IDOR — other users' invoices readable
               Authenticated user needed

Attack Vector:     Network (N)
Attack Complexity: Low (L)
Privileges Req:    Low (L)        → Need account
User Interaction:  None (N)       → No victim needed
Scope:             Unchanged (U)
Confidentiality:   High (H)       → Financial data
Integrity:         None (N)       → Can't modify
Availability:      None (N)

CVSS Vector:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Score: 6.5 — MEDIUM 🟡
Bounty Expected: $300 - $1,500

Note: Impact ke basis pe companies
      High tak bhi de sakti hain!

Example 4: SSRF → AWS Metadata

Vulnerability: SSRF → 169.254.169.254
               AWS credentials accessible

Attack Vector:     Network (N)
Attack Complexity: Low (L)
Privileges Req:    None (N)       → No auth!
User Interaction:  None (N)
Scope:             Changed (C)!   → AWS cloud affected!
Confidentiality:   High (H)       → AWS keys stolen
Integrity:         High (H)       → AWS resources modify
Availability:      High (H)       → AWS resources delete

CVSS Vector:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score: 10.0 — CRITICAL MAX! 🔴🔴
Bounty Expected: $5,000 - $25,000+

Example 5: Reflected XSS (Low Impact)

Vulnerability: Reflected XSS in search param
               Only executes if victim clicks link

Attack Vector:     Network (N)
Attack Complexity: Low (L)
Privileges Req:    None (N)
User Interaction:  Required (R)   → Must click link
Scope:             Unchanged (U)
Confidentiality:   Low (L)
Integrity:         Low (L)
Availability:      None (N)

CVSS Vector:
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS Score: 6.1 — MEDIUM 🟡
Bounty Expected: $100 - $500

PART 4: CVSS Quick Reference Table

PART 5: CVSS Calculator Tools

Tool 1: NVD CVSS Calculator (Official)

URL: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

✅ Official NIST calculator
✅ Visual sliders
✅ Vector string auto-generate
✅ Score real-time calculate
✅ Copy vector string karo report mein

Tool 2: First.org Calculator

URL: https://www.first.org/cvss/calculator/3.1

✅ Simple interface
✅ Explanation har metric ka
✅ Temporal + Environmental bhi

Tool 3: HackerOne Built-in

HackerOne pe report submit karte waqt:
→ Severity section mein
→ "Use CVSS" option
→ Built-in calculator!
→ Score se automatically
   Critical/High/Medium/Low select hota hai!

PART 6: Common CVSS Mistakes Avoid Karo!

❌ Mistake 1: Har bug ko Critical claim karna
"Main maximum bounty chahta hoon"
→ Triage team samajhti hai — credibility khatam!
→ Future reports pe bhi doubt aayega!

❌ Mistake 2: Scope:Changed galat use karna
Scope:Changed sirf tab jab
dusra security domain affect ho!
(Browser → App = Changed)
(App → App = Unchanged usually)

❌ Mistake 3: UI:None jab interaction chahiye
Reflected XSS mein victim ko link click karna padta hai
→ UI:Required hoga — UI:None nahi!

❌ Mistake 4: PR:None jab auth chahiye
IDOR ke liye account chahiye
→ PR:Low hoga — PR:None nahi!

❌ Mistake 5: Availability overestimate karna
Sirf ek endpoint slow ho = A:Low
Full server down = A:High

PART 7: CVSS vs Platform Severity

CVSS score aur platform severity hamesha match nahi karte!

CVSS Score  | NVD Rating | HackerOne | Bugcrowd
------------|------------|-----------|----------
9.0 - 10.0  | Critical   | Critical  | P1
7.0 - 8.9   | High       | High      | P2
4.0 - 6.9   | Medium     | Medium    | P3
0.1 - 3.9   | Low        | Low       | P4

Important Notes:
→ Companies apna adjustment karti hain!
→ Business context matter karta hai!
→ CVSS 6.5 IDOR → Company High de sakti hai
  (agar sensitive data involved ho)
→ CVSS 8.0 → Company Medium de sakti hai
  (agar impact limited ho unke context mein)

Tumhara kaam: Sahi CVSS calculate karo
              + Impact section mein justify karo!

PART 8: Report Mein CVSS Kaise Add Karo

## Severity

**CVSS 3.1 Score: 8.7 (High)**

**Vector String:**
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N`

**Score Justification:**
- **AV:Network** — Vulnerability remotely exploitable
  via internet, no physical access required
- **AC:Low** — No special conditions needed,
  attack works consistently
- **PR:Low** — Requires basic authenticated account
  (free registration available)
- **UI:Required** — Victim must visit attacker's profile
- **S:Changed** — Attack escapes vulnerable component
  and affects other users' browser sessions
- **C:High** — Session cookies fully accessible,
  leading to complete account takeover
- **I:Low** — Limited data modification possible
  via DOM manipulation
- **A:None** — No availability impact

**Calculator Link:**
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?
vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1

Quick Revision

📊 CVSS        = 0-10 score, vulnerability danger measure
🔢 Base Metrics = AV, AC, PR, UI, S, C, I, A
🌐 AV:Network  = Internet se = Highest score!
🔓 PR:None     = No auth needed = Higher score!
🔄 S:Changed   = Other systems affected = BIG boost!
🎯 Calculator  = nvd.nist.gov/vuln-metrics/cvss
❌ Avoid       = Overclaiming Critical har baar
✅ Always      = Justify each metric in report
💰 Result      = Correct CVSS = Fair bounty + credibility!

CVSS Ranges:
9.0-10.0 = Critical 🔴
7.0-8.9  = High 🟠
4.0-6.9  = Medium 🟡
0.1-3.9  = Low 🟢

Meri Baat…

Pehli baar SSRF mila excited hokar CVSS calculate kiya:

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5 (High)

Triager ne response diya: "Severity downgraded to Medium"

Maine socha kya galti hui?

Galti: S:Unchanged maine socha sirf app affected hai!

Lekin SSRF se main AWS metadata access kar raha tha Cloud infrastructure = Different security domain = S:Changed!

Correct CVSS:

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 (CRITICAL!)

Triager ko explain kiya Severity Critical pe update ho gayi!

Bounty: $6,000 sirf ek metric ka difference! 🎉

Lesson: Scope:Changed ko kabhi mat bhulo SSRF, XSS to other users, container escape sab mein S:C hoga!

Agle article mein Real Bug Reports HackerOne public disclosures se seekhte hain actual reports analyze karenge! 🔥

HackerMD Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD

Previous: Article #25 Perfect Bug Report Next: Article #27 Real Bug Reports: HackerOne Disclosures Se Seekho!

#CVSS #BugBounty #VulnerabilityScoring #EthicalHacking #Hinglish #HackerOne #HackerMD