Unveiling VISS: a revolutionary approach to vulnerability impact scoring

To help reshape the vulnerability assessment and incident response landscape, we are thrilled to announce the general availability of our innovative open-source project: the Vulnerability Impact Scoring System, or VISS. Developed over the past year, this project aims to enhance security measures for a safer digital landscape through our groundbreaking approach to vulnerability scoring. VISS provides a user-friendly web-based UI and advanced algorithms that prioritize actual demonstrated impact over theoretical security impact possibilities.

While traditional scoring systems like the Common Vulnerability Scoring System (CVSS) focus on an attacker's viewpoint and worst-case scenarios, VISS takes a different stance. It complements CVSS by offering a unique assessment system that enhances incident response capabilities. By objectively measuring the impact of vulnerabilities from a defender's perspective, VISS can base its evaluations on responsibly demonstrated exploitation rather than theoretical threats. 

Since March 2023, Zoom has employed this innovative scoring system to assess the reward disbursements within our Bug Bounty Program. This program offers a secure haven for security researchers and product users to uncover and disclose security vulnerabilities to Zoom, all without the apprehension of facing legal reprisal. Often accompanied by a finder's fee – referred to as a bounty – this initiative has witnessed a notable transformation in submitted reports, marking a significant evolution from previous practices.

We believe this discernible trend toward higher-impact findings and increasingly intricate multi-step exploitations reflects how researchers are dedicating additional time to delve deeper into the nuance of potential vulnerabilities.

Instead of focusing precious limited resources on vulnerabilities that are less likely to have tangible impact, VISS can help you proactively protect your environment and prioritize the vulnerabilities that are most likely to impact your organization. With many companies reducing headcount over the past year, this prioritization is crucial to help you understand where to focus time and effort for maximum value.

VISS analyzes vulnerabilities based on 13 impact aspects, which are categorized into platform, infrastructure, and data groups. The resulting numerical score – ranging from 0 to 100 – reflects the severity of impact within a specific environment. Using the Compensating Controls metric, VISS scores are adjustable and provide flexibility for environment owners to tailor scores according to their individual risk profile and tolerance through a robust administration portal.

To delve into the specifics, and to try out Zoom’s implementation of the VISS calculator, check out the complete VISS specification.

Zoom sponsored the HackerOne H1-4420 live-hacking event in London in 2023, and during this event, hackers’ vulnerability report submissions underwent an advanced bug evaluation process using both CVSS and VISS. Demonstrating the effectiveness of VISS, this method facilitated improved resource allocation and a heightened concentration on addressing Critical and High severity vulnerabilities. 

After moving to VISS, vulnerability report submissions have shifted away from Low and Medium severities, toward High and Critical severities. Researchers are investing more time and energy to evolve their exploits beyond the theoretical, and more toward demonstrated impact. For the period between March 2023 and December 1, 2023, Zoom observed a 28% surge in Critical and a 12% rise in High severity reports. Notably, there was a significant 57% reduction in medium severity submissions compared to the preceding 8 months before VISS implementation in March 2023. 

The mission of VISS extends beyond Zoom, aiming to help enhance incident response and security teams globally. By providing the industry with a comprehensive and objective measure of vulnerability impact, VISS contributes to the ongoing pursuit of a secure internet for everyone.
We invite you to explore VISS, contribute to its development, and join us in revolutionizing vulnerability impact scoring. Let's build a safer digital future together. Check out the open source repository at https://github.com/zoom/viss.

The source code is subject to the GPL 3.0 license.