Zoom 开源新的漏洞影响平分系统 VISS

Zoom Vulnerability Impact Scoring System (VISS) Summary

Zoom has developed a new method for scoring vulnerabilities, known as the Vulnerability Impact Scoring System (VISS), which prioritizes actual impact rather than theoretical possibilities. This system was created over the past year and has been recently made open source.

Distinct from the Common Vulnerability Scoring System (CVSS), VISS does not focus on worst-case scenarios but attempts to objectively measure vulnerabilities from a defender's perspective. It utilizes a web-based UI to calculate a vulnerability score based on multiple parameters classified into platform, infrastructure, and data groups. These parameters encompass 13 aspects including platform impact, number of affected tenants, data implications, and more.

The VISS score is adjustable through compensating control indicators, offering flexibility and freedom for environment owners to tailor scores according to their individual risk configurations. Zoom has incorporated VISS as an assessment tool in its Bug Bounty Program, which has significantly improved the quality of submitted reports, aiding in the identification of where time and effort should be invested for maximum value.

VISS is designed to help proactively protect environments and prioritize vulnerabilities that are most likely to impact organizations, shifting focus from less impactful vulnerabilities that may not warrant valuable resources. It comes with a calibrated default configuration that ensures a smooth score distribution, with approximately 50% of reports categorized as medium severity, and the remaining split evenly between low and high severity. This default configuration can be adjusted to meet user requirements.

It is important to note that VISS is not intended to replace CVSS but to complement it by offering an additional perspective for assessment.

Source: https://www.infoq.com/news/2023/12/zoom-vulnerability-score-viss/

想要了解更多内容？

查看原文：Zoom 开源新的漏洞影响平分系统 VISS

文章来源：

InfoQ

扫码关注公众号