Zoom has unveiled its latest innovation, the Vulnerability Impact Scoring System (VISS), set to redefine the landscape of vulnerability assessment and incident response.
This open-source project aims to transform security measures by introducing a groundbreaking approach to vulnerability scoring, available for general use.
Unlike traditional scoring systems like the Common Vulnerability Scoring System (CVSS) that primarily focus on potential attacker perspectives, VISS takes a unique stance. It offers an assessment system that prioritizes demonstrated impact over theoretical threats, empowering defenders in incident response. VISS evaluates vulnerabilities objectively, basing assessments on responsibly demonstrated exploitations rather than hypothetical risks.
VISS Structure and Flexibility
Since March 2023, Zoom has integrated VISS into its Bug Bounty Program, incentivizing security researchers and product users to uncover and report vulnerabilities without the fear of legal repercussions. This initiative has witnessed a significant shift in submitted reports, showcasing a trend towards higher-impact findings and complex exploitations.
VISS helps organisations proactively protect their environments by prioritizing vulnerabilities likely to have a tangible impact. This prioritization becomes crucial, especially in times when companies are streamlining resources. Understanding where to focus time and effort for maximum value is paramount.
VISS evaluates vulnerabilities based on 13 impact aspects, categorised into platform, infrastructure, and data groups. The resulting numerical score, ranging from 0 to 100, indicates the severity of impact within a specific environment. The system allows for flexibility with Compensating Controls, enabling environment owners to tailor scores based on individual risk profiles through an administration portal.
Vulnerability Assessment: Case Study with HackerOne
Zoom’s sponsorship of HackerOne’s live-hacking event in London in 2023 highlighted VISS’s efficacy in evaluating vulnerability reports alongside CVSS. The implementation facilitated improved resource allocation and a focus on addressing Critical and High severity vulnerabilities.
Post-VISS implementation, there’s been a notable shift in vulnerability report submissions. Researchers are dedicating more efforts towards evolving their exploits, resulting in a surge in Critical (28%) and High (12%) severity reports. Conversely, Medium severity submissions reduced by 57% compared to pre-VISS implementation.
VISS isn’t just limited to Zoom; it aims to empower security teams worldwide by providing an objective measure of vulnerability impact. Its contribution extends to enhancing incident response globally, fostering a more secure digital landscape.
Zoom encourages exploration and contribution to VISS’s development, inviting participation in revolutionizing vulnerability impact scoring. The open-source repository is available at https://github.com/zoom/viss.
The B2B Marketer, the online destination for B2B marketing professionals seeking valuable insights, trends, and resources to drive their marketing strategies and achieve business success.