SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Open source
#
Digital assessment
#
Incident Response
Zoom introduces VISS, an innovative approach to vulnerability assessment
Mon, 18th Dec 2023
Author image
By Imee Dequito, Editor
Follow us

Zoom has unearthed its latest open-source offering to the public: the Vulnerability Impact Scoring System (VISS). Intended to reshape the vulnerability assessment and incident response landscape, VISS aims to enhance security measures through an innovative approach to vulnerability scoring.

By focusing on prioritising the demonstrated impact in contrast to theoretical security impact possibilities, VISS presents a web-based UI supported by advanced algorithms. The primary objective is to enable a more proactive protection of environments by prioritising vulnerabilities that are most likely to impact an organisation.

Traditional scoring systems like Common Vulnerability Scoring System (CVSS) mainly focus on the perspective of attackers and worst-case scenarios, but VISS is different. It provides a unique method that boosts incident response capabilities by objectively measuring the collective effect of vulnerabilities from a defender’s viewpoint. It hence bases its evaluations on responsibly demonstrated exploitation rather than theoretical threats.

Since March 2023, Zoom has adopted this pioneering system for assessing reward disbursements in its Bug Bounty Program. The program allows security researchers and product users to discover and disclose security vulnerabilities to Zoom without fearing legal consequences. By offering a finder's fee, the program has had a significant evolution in the submitted reports.

Zoom believes that this emerging pattern towards higher-impact findings and more intricate, multi-step exploitations suggests that researchers are investing more time to explore the potential vulnerabilities. VISS analyses vulnerabilities based on 13 impact aspects which are categorised into platform, infrastructure, and data groups. The final numerical score, ranging from 0 to 100, shows the severity of impact within a particular environment.

Another testament to the viability of VISS came from Zoom's sponsorship of the HackerOne H1-4420 live-hacking event in London in 2023. The report submissions from hackers went through an advanced bug evaluation method using both CVSS and VISS. This approach paved the way for enhanced resource allocation and a heightened focus on addressing Critical and High severity vulnerabilities.

Notably, Zoom observed a surge in Critical and High severity reports. Between March and December 2023, there was a 28% increase in Critical and a 12% rise in High severity reports. There was also a significant 57% reduction in medium severity submissions.

The mission of VISS extends far beyond Zoom with the aim to enhance the response of security teams globally. With a comprehensive measure of vulnerability impact, VISS seeks to make the internet a safer place for everyone. It encourages interested parties to explore, contribute to its development, and join in the revolution of vulnerability impact scoring.

Related stories
Healthcare sector's cybersecurity confidence misplaced, warns Kroll report
Five top concerns in private cloud visibility
BeyondTrust's 2024 report reveals top Microsoft vulnerabilities
Red Hat updates trusted software supply chain, bolsters security
Cado Security unmasks Cerber ransomware threat to Confluence servers
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity