Zoom has unearthed its latest open-source offering to the public: the Vulnerability Impact Scoring System (VISS). Intended to reshape the vulnerability assessment and incident response landscape, VISS aims to enhance security measures through an innovative approach to vulnerability scoring.
By focusing on prioritising the demonstrated impact in contrast to theoretical security impact possibilities, VISS presents a web-based UI supported by advanced algorithms. The primary objective is to enable a more proactive protection of environments by prioritising vulnerabilities that are most likely to impact an organisation.
Traditional scoring systems like Common Vulnerability Scoring System (CVSS) mainly focus on the perspective of attackers and worst-case scenarios, but VISS is different. It provides a unique method that boosts incident response capabilities by objectively measuring the collective effect of vulnerabilities from a defender’s viewpoint. It hence bases its evaluations on responsibly demonstrated exploitation rather than theoretical threats.
Since March 2023, Zoom has adopted this pioneering system for assessing reward disbursements in its Bug Bounty Program. The program allows security researchers and product users to discover and disclose security vulnerabilities to Zoom without fearing legal consequences. By offering a finder's fee, the program has had a significant evolution in the submitted reports.
Zoom believes that this emerging pattern towards higher-impact findings and more intricate, multi-step exploitations suggests that researchers are investing more time to explore the potential vulnerabilities. VISS analyses vulnerabilities based on 13 impact aspects which are categorised into platform, infrastructure, and data groups. The final numerical score, ranging from 0 to 100, shows the severity of impact within a particular environment.
Another testament to the viability of VISS came from Zoom's sponsorship of the HackerOne H1-4420 live-hacking event in London in 2023. The report submissions from hackers went through an advanced bug evaluation method using both CVSS and VISS. This approach paved the way for enhanced resource allocation and a heightened focus on addressing Critical and High severity vulnerabilities.
Notably, Zoom observed a surge in Critical and High severity reports. Between March and December 2023, there was a 28% increase in Critical and a 12% rise in High severity reports. There was also a significant 57% reduction in medium severity submissions.
The mission of VISS extends far beyond Zoom with the aim to enhance the response of security teams globally. With a comprehensive measure of vulnerability impact, VISS seeks to make the internet a safer place for everyone. It encourages interested parties to explore, contribute to its development, and join in the revolution of vulnerability impact scoring.