扫码阅读
手机扫码阅读

Zoom 开源新的漏洞影响平分系统 VISS

47 2024-07-04
Zoom Vulnerability Impact Scoring System (VISS) Summary

Zoom Vulnerability Impact Scoring System (VISS) Summary

Zoom has developed a new method for scoring vulnerabilities, known as the Vulnerability Impact Scoring System (VISS), which prioritizes actual impact rather than theoretical possibilities. This system was created over the past year and has been recently made open source.

Distinct from the Common Vulnerability Scoring System (CVSS), VISS does not focus on worst-case scenarios but attempts to objectively measure vulnerabilities from a defender's perspective. It utilizes a web-based UI to calculate a vulnerability score based on multiple parameters classified into platform, infrastructure, and data groups. These parameters encompass 13 aspects including platform impact, number of affected tenants, data implications, and more.

The VISS score is adjustable through compensating control indicators, offering flexibility and freedom for environment owners to tailor scores according to their individual risk configurations. Zoom has incorporated VISS as an assessment tool in its Bug Bounty Program, which has significantly improved the quality of submitted reports, aiding in the identification of where time and effort should be invested for maximum value.

VISS is designed to help proactively protect environments and prioritize vulnerabilities that are most likely to impact organizations, shifting focus from less impactful vulnerabilities that may not warrant valuable resources. It comes with a calibrated default configuration that ensures a smooth score distribution, with approximately 50% of reports categorized as medium severity, and the remaining split evenly between low and high severity. This default configuration can be adjusted to meet user requirements.

It is important to note that VISS is not intended to replace CVSS but to complement it by offering an additional perspective for assessment.

Source: https://www.infoq.com/news/2023/12/zoom-vulnerability-score-viss/

Article translated by InfoQ, reproduction without permission is prohibited.

想要了解更多,点击 查看原文

为一线互联网公司核心技术人员提供优质内容。科技圈的观察者,前沿技术的传播者。

98 篇文章
浏览 4483
加入社区微信群
与行业大咖零距离交流学习
软件研发质量管理体系建设 白皮书上线