December 18, 2023 at 03:42PM
Zoom developed the Vulnerability Impact Scoring System (VISS) as a more objective approach to assess the severity of vulnerabilities found during bug bounty programs. This system, providing a transparent and defensible way to calculate potential rewards for vulnerabilities, aims to prioritize critical and high-severity issues. VISS received positive feedback from security researchers during a live hacking event.
Based on the meeting notes, Zoom has developed its own Vulnerability Impact Scoring System (VISS) to assess and rank vulnerabilities found during bug bounty programs. The VISS is designed to remove subjectivity and help calculate the potential risks of a vulnerability, leading to a greater focus on critical and high severity vulnerabilities and less focus on medium and low severity issues. It allows both bug bounty programs and researchers to transparently and defensibly calculate possible rewards. Zoom will continue to use the Common Vulnerability Scoring System (CVSS) internally, but VISS is tailored for its bug bounty programs.
VISS has been used by Zoom during a live hacking event, resulting in fewer lower severity vulnerabilities being reported and an increase in critical and high-severity issues, showing that it has prompted security researchers to find better vulnerabilities. Additionally, it has been valuable for hackers in anticipating their rewards for reported vulnerabilities.
While VISS may have broader applications beyond bug bounties, some experts believe that prioritizing vulnerabilities using VISS may not be any easier than with other scoring systems. While VISS may be simpler to calculate, it still requires knowledgeable answers to assign the right level of risk to vulnerabilities.
Overall, Zoom will continue to use VISS for its bug bounty programs and CVSS for its internal security team to rate third-party vulnerabilities. While some skepticism exists about whether we need another scoring system, VISS’s value lies in its focus on impact and potential to drive security researchers to find more critical and high-severity vulnerabilities.