Zoom has announced the general availability of its open-source project, the Vulnerability Impact Scoring System (VISS), which offers a unique approach to vulnerability assessment and incident response.
Unlike traditional systems, VISS focuses on the defender’s perspective, prioritising actual demonstrated impact over theoretical security threats. The system has been used in Zoom’s Bug Bounty Program since March 2023, leading to a significant shift towards higher-impact findings.
VISS is designed to help security teams prioritise vulnerabilities that are most likely to impact their organisation, thus enhancing their incident response capabilities.
- Zoom has announced the general availability of their open-source project, the Vulnerability Impact Scoring System (VISS), which aims to enhance security measures by prioritizing actual demonstrated impact over theoretical threats.
- VISS complements traditional scoring systems by providing a unique assessment system that enhances incident response capabilities from a defender’s perspective.
- Since implementing VISS, Zoom has seen a notable increase in high-impact vulnerability findings, reflecting researchers’ deeper exploration of potential vulnerabilities.
Revolutionising Vulnerability Assessment: The VISS Approach
In a bid to transform the landscape of vulnerability assessment and incident response, an innovative open-source project has been launched: the Vulnerability Impact Scoring System (VISS). This state-of-the-art initiative aims to bolster security measures by implementing a revolutionary approach to vulnerability scoring. VISS provides a user-friendly web-based UI along with advanced algorithms that prioritise authentic demonstrated impact over theoretical security possibilities.
Understanding VISS: A New Defender’s Perspective
Unlike conventional scoring systems like the Common Vulnerability Scoring System (CVSS), which tend to focus on the attacker’s viewpoint and worst-case scenarios, VISS offers a fresh perspective. It enhances incident response capabilities by objectively measuring the impact of vulnerabilities from a defender’s stance, basing its evaluations on responsibly demonstrated exploitation rather than theoretical threats.
Since March 2023, this novel scoring system has been utilised by Zoom for assessing reward disbursements within their Bug Bounty Programme. This initiative provides security researchers and product users with a secure platform to uncover and disclose security vulnerabilities without fear of legal repercussions. The programme, often accompanied by a finder’s fee, has experienced a marked transformation in submitted reports, indicating an evolution from previous practices.
The Significance of VISS
The VISS system can aid you in proactively safeguarding your environment and prioritising the vulnerabilities that are most likely to affect your organisation. In an era where many companies are reducing headcount, this prioritisation is crucial for understanding where to allocate time and effort for maximum value.
Dissecting VISS
VISS analyses vulnerabilities based on 13 impact aspects categorised into platform, infrastructure, and data groups. The resulting score, ranging from 0 to 100, indicates the severity of impact within a specific environment. VISS scores are adjustable, allowing environment owners to tailor scores according to their individual risk profile and tolerance via a robust administration portal.
VISS in Action: A HackerOne Case Study
In 2023, Zoom sponsored the HackerOne H1-4420 live-hacking event in London, where hackers’ vulnerability report submissions underwent advanced bug evaluation using both CVSS and VISS. This demonstrated the effectiveness of VISS in facilitating improved resource allocation and an intensified focus on addressing Critical and High severity vulnerabilities.
Targeting High Severity Vulnerabilities
Following the adoption of VISS, vulnerability report submissions have trended towards High and Critical severities. Researchers are dedicating more time and effort towards developing their exploits beyond the theoretical, focusing more on demonstrated impact. Between March and December 2023, Zoom witnessed a 28% increase in Critical and a 12% rise in High-severity reports, coupled with a significant 57% decrease in medium-severity submissions.
Enabling Security Teams Globally
The mission of VISS extends beyond Zoom’s boundaries to aid incident response and security teams worldwide. By providing the industry with a comprehensive and objective measure of vulnerability impact, VISS contributes to the ongoing quest for a secure internet for everyone.
Final Thoughts
The launch of VISS represents a significant step forward in the field of security vulnerability assessment and incident response. It offers a unique perspective that prioritises the tangible impact of vulnerabilities over theoretical threats, which could potentially revolutionise how organisations protect themselves.
While it’s yet early days, the positive response and demonstrable results this project has garnered are promising. It’ll be interesting to see how VISS evolves and what impact it will have on the broader security landscape as more organisations adopt it.
FAQ
Q: What is the Vulnerability Impact Scoring System (VISS)?
A: VISS is an open-source project developed by Zoom to enhance security measures by providing a unique assessment system that measures the impact of vulnerabilities from a defender’s perspective. It complements traditional scoring systems like the Common Vulnerability Scoring System (CVSS) by prioritizing actual demonstrated impact over theoretical threats.
Q: How does VISS differ from CVSS?
A: While CVSS focuses on an attacker’s viewpoint and worst-case scenarios, VISS takes a different approach. It objectively measures the impact of vulnerabilities from a defender’s perspective, basing its evaluations on responsibly demonstrated exploitation rather than theoretical threats.
Q: How has VISS been implemented by Zoom?
A: Since March 2023, Zoom has employed VISS to assess reward disbursements within its Bug Bounty Program. This program provides a secure environment for security researchers and product users to uncover and disclose vulnerabilities to Zoom without fear of legal repercussions. VISS has transformed the program, leading to higher-impact findings and more intricate multi-step exploitations.
Q: Why is VISS important?
A: VISS helps organizations proactively protect their environments by prioritizing vulnerabilities that are most likely to impact their organization. With companies reducing headcount, this prioritization is crucial in focusing time and effort where it will have the maximum value.
Q: How does VISS analyze vulnerabilities?
A: VISS analyzes vulnerabilities based on 13 impact aspects, which are grouped into platform, infrastructure, and data categories. The resulting numerical score ranges from 0 to 100 and reflects the severity of impact within a specific environment. VISS scores are adjustable using the Compensating Controls metric, allowing environment owners to tailor scores based on their individual risk profile and tolerance.
Q: How has VISS been implemented in practice?
A: Zoom sponsored the HackerOne H1-4420 live-hacking event in London in 2023, where vulnerability report submissions underwent an advanced bug evaluation process using both CVSS and VISS. The effectiveness of VISS was demonstrated as it facilitated improved resource allocation and a heightened focus on addressing Critical and High severity vulnerabilities.
Q: What has been the impact of VISS implementation?
A: After implementing VISS, vulnerability report submissions shifted away from Low and Medium severities towards High and Critical severities. Researchers are now investing more time and energy into evolving their exploits beyond theoretical threats and towards demonstrated impact. Zoom observed a 28% surge in Critical and a 12% rise in High severity reports, along with a significant 57% reduction in Medium severity submissions compared to the period before VISS implementation.
Q: How does VISS empower security teams worldwide?
A: The mission of VISS extends beyond Zoom and aims to enhance incident response and security teams globally. By providing a comprehensive and objective measure of vulnerability impact, VISS contributes to the ongoing pursuit of a secure internet for everyone. Zoom invites users to explore VISS, contribute to its development, and join in revolutionizing vulnerability impact scoring.