A common question that people raise in the bug bounty community is around the following situation:

1. Application has open registration available
2. The registration does not involve any manual approval by anybody
3. A vulnerability exists in the application, which can only be exploited by an authenticated user

Should the CVSS 3.1 Privileges Required vector be None or Low in this case?

On its surface, it may seem entirely reasonable that the requirement for authentication would imply that Privileges Required should be scored as Low. But I will argue in this post that it should clearly be None and not Low, which is commonly practiced.

Reason #1 – Privilege vs. right

First, we need to be clear about our definitions. Here’s what the Oxford dictionary says about each word:

Privilege

noun

1. special right, advantage, or immunity granted or available only to a particular person or group.
“education is a right, not a privilege”

Right

noun

2. a moral or legal entitlement to have or do something.
“she had every right to be angry”

Elucidating the distinction further, each has the following properties:

• Privilege
  • Is granted to you 
  • Implies an explicit action/intent by somebody with existing privilege
• Right
  • Is not bestowed upon you specifically
  • Applies to everybody

In our case, the presence of open registration implies that there’s no administrator approving user registrations or applying privileges to the account explicitly. Thus, no privilege is involved, and it follows that the Privileges Required should be None.

Reason #2 – Specification 

To help us understand the correct score in our scenario, we can also trust the specification to give us clarity. And in my opinion, it’s very clear on this specific matter. So by way of hand-picking quotes that support my hypothesis, without further ado, here’s why the specification makes it clear that our scenario must be scored with None:

Firstly, Privileges Required is an Exploitability metric. It explicitly assumed an attacker has advanced knowledge of the system and its weaknesses. Some people will argue that the score should be Low due to decreased risk of an attacker discovering the vulnerability. But the specification makes it very clear that this is not relevant.

The section covering the Metric itself also leads us to the same conclusion:

First, the spec clarifies that it’s not about what privileges are required, full stop. Instead, it’s what privileges are required before exploitation. In the case of open registration, they, by definition, need nothing before exploitation, as registering can simply be considered a part of the exploit chain.

The description of None drives this point even further by calling out again that the attacker is unauthorized before the exploitation. And as a reminder, since this is an exploitability metric, it assumes an attacker with excellent knowledge of the system in question. We are not considering discovery in any way, and we shouldn’t.

Conclusion

The principal argument for applying a score of Low to Privileges Required in the context of an application with open registration, from what I can tell, is that the requirement for registration:

• It makes it harder to spray an exploit across the internet
• The attacker will need some pre-planning and preparation activities before exploitation

We’ve already established that these factors are irrelevant, as called out by the specification itself. The fact that registration is required simply becomes an exploit implementation detail that adds some hour(s) of work for large-scale exploitation. And that’s quite clearly not the intended use of CVSS. Thus, one must conclude that when faced with an application with open registration, and you need a user account to conduct an attack, one must use the None score, not Low.