December 15, 2023 at 08:36AM
Zoom unveiled an open source Vulnerability Impact Scoring System (VISS) to help organizations assess and prioritize vulnerabilities based on actual exploitation. The system, designed to complement the Common Vulnerability Scoring System, led to increased reports of critical vulnerabilities during testing and analyzes vulnerabilities based on 13 impact aspects. It remains to be seen how widely VISS will be adopted.
Based on the meeting notes, here are the key takeaways:
1. Zoom unveiled an open source Vulnerability Impact Scoring System (VISS), designed to prioritize vulnerabilities based on actual demonstrated exploitation rather than theoretical impact.
2. The VISS framework provides a web-based user interface and algorithms to assess and prioritize vulnerabilities based on 13 impact aspects focusing on platform, infrastructure, and data. It assigns a numerical score ranging from 0 to 100, influenced by a ‘compensating controls’ metric.
3. Zoom has been testing the VISS system within its bug bounty program since March, leading to an increase in critical and high-severity vulnerability reports, with researchers investing more time and energy to demonstrate the practicality of their exploits.
4. While VISS aims to complement the widely used Common Vulnerability Scoring System (CVSS), there is skepticism about its wide adoption due to being developed by a commercial organization. Other existing systems such as SSVC, EPSS, and VPR also exist, but they are unlikely to replace or be widely used alongside CVSS.
5. The industry standard CVSS has some issues, including subjectivity, narrow scope, and improper representation of real-world risks. However, the recently launched CVSS 4.0 aims to address some of these limitations. It is generally agreed that CVSS should not be used on its own to score risk or prioritize vulnerability patching.
Let me know if you need any further details or assistance.