Update - PII Leakage updated to Sensitive Information Leak

[evildaemond]

Description

The Bugcrowd VRT variant Automotive Security Misconfiguration > Infotainment, Radio Head Unit > PII Leakage has been brought up on occasion, as the variant is not used properly due to the terminology of the submission title. We have seen PII leakage being miscategorised due to the term PII inside of it's name.

We want to provide a solution to this which gives people an option to categorise their submissions properly, this would be a new category called PII Leakage/Exposure with the intent that a researcher would select this submission when they identify information such as exposed data for a user or group where a class such as IDOR does not match the way this information was identified.

Recommendations

1. Update the title of the variant Automotive Security Misconfiguration > Infotainment, Radio Head Unit > PII Leakage to Sensitive Data Leakage. (This is a temporary measure until the Automotive Security Misconfiguration can properly be overhauled)
2. Create a new variant under Sensitive Data Exposure called PII Leakage/Exposure which has the impact of Varies.

[TimmyBugcrowd]

I totally agree with this. Don't you think that Sensitive Data Leakage should be Sensitive Data Leakage/Exposure as in Varies?

[amalmurali47]

I agree with the recommendations. For additional clarity, these are the changes being proposed:

• Remove:
  • (P1) Automotive Security Misconfiguration > Infotainment, Radio Head Unit > PII Leakage
• Add:
  • (Varies) Automotive Security Misconfiguration > Infotainment, Radio Head Unit PII Leakage > Sensitive Data Leakage
• Add:
  • (Varies) Sensitive Data Exposure > Disclosure of Secrets > PII Leakage

I've modified PII Leakage/Exposure to PII Leakage so it's consistent with the other entries.

[TimmyBugcrowd]

Closing the issue since the PR for this has been submitted: #361