Zoom 开源新的漏洞影响平分系统 VISS
我们非常重视原创文章,为尊重知识产权并避免潜在的版权问题,我们在此提供文章的摘要供您初步了解。如果您想要查阅更为详尽的内容,访问作者的公众号页面获取完整文章。
Zoom Vulnerability Impact Scoring System (VISS) Summary
Zoom has developed a new method for scoring vulnerabilities, known as the Vulnerability Impact Scoring System (VISS), which prioritizes actual impact rather than theoretical possibilities. This system was created over the past year and has been recently made open source.
Distinct from the Common Vulnerability Scoring System (CVSS), VISS does not focus on worst-case scenarios but attempts to objectively measure vulnerabilities from a defender's perspective. It utilizes a web-based UI to calculate a vulnerability score based on multiple parameters classified into platform, infrastructure, and data groups. These parameters encompass 13 aspects including platform impact, number of affected tenants, data implications, and more.
The VISS score is adjustable through compensating control indicators, offering flexibility and freedom for environment owners to tailor scores according to their individual risk configurations. Zoom has incorporated VISS as an assessment tool in its Bug Bounty Program, which has significantly improved the quality of submitted reports, aiding in the identification of where time and effort should be invested for maximum value.
VISS is designed to help proactively protect environments and prioritize vulnerabilities that are most likely to impact organizations, shifting focus from less impactful vulnerabilities that may not warrant valuable resources. It comes with a calibrated default configuration that ensures a smooth score distribution, with approximately 50% of reports categorized as medium severity, and the remaining split evenly between low and high severity. This default configuration can be adjusted to meet user requirements.
It is important to note that VISS is not intended to replace CVSS but to complement it by offering an additional perspective for assessment.
Source: https://www.infoq.com/news/2023/12/zoom-vulnerability-score-viss/
想要了解更多内容?