Zoom Vulnerability Impact Scoring System, or VISS for short, aims to help organizations enforce security measures based on a new approach to vulnerability scoring that prioritizes actual demonstrated impact over theoretical security impact possibilities.
Developed over the past year and recently open-sourced, VISS differs from the Common Vulnerability Scoring System (CVSS) by not focusing on worst-case scenarios and attempting to measure more objectively the impact of vulnerabilities from a defender's point of view. To this aim, VISS provides a Web-based UI to calculate the vulnerability score based on several parameters, categorized into platform, infrastructure, and data groups. Those include 13 aspects such as the impact on the platform, the number of tenants impacted, data impact, and so on.
Using the Compensating Controls metric, VISS scores are adjustable and provide flexibility for environment owners to tailor scores according to their individual risk profile and tolerance.
Zoom implemented VISS as a tool to assess rewards within their Bug Bounty Program with a notable impact on the quality of submitted reports, thus helping them understand where to focus time and effort for maximum value.
Instead of focusing precious limited resources on vulnerabilities that are less likely to have tangible impact, VISS can help you proactively protect your environment and prioritize the vulnerabilities that are most likely to impact your organization.
VISS comes with a default configuration calibrated to provide a smooth score distribution where about 50% of the reports are classified as medium-severity, while low- and high-severity reports account for about 25% each. This configuration can be adapted based on user requirements.
It's worth noting that VISS does not replace CVSS, but rather complements it to provide an additional evaluation viewpoint.