Zoom launches Open-source Vulnerability Impact Scoring System

Zoom, the popular video conferencing platform, has recently announced the launch of its Open-Source Vulnerability Impact Scoring System.

This system is designed to provide a standardized method for evaluating the impact of vulnerabilities discovered in open-source software.

The system’s version 1.0 specification has been made available to the public, which will help software developers and security researchers to better identify and prioritize vulnerabilities and take appropriate actions to mitigate them.

Zoom Video Communications, Inc. is a communications technology company headquartered in San Jose, California. The company offers a cloud-based, peer-to-peer software platform that allows users to make phone calls, video conferences, send messages, host virtual events, and operate contact centers. The platform provides video telephony and online chat services.

The Vulnerability Impact Scoring System (VISS) has been specifically developed to address the primary effects of software, hardware, and firmware vulnerabilities that are relevant to the connected infrastructure, technology stack, and security of customer information.

When assessing vulnerability reports, the industry-standard Common Vulnerability Scoring System (CVSS) is used. This system takes into account the worst-case scenario and is predominantly evaluated from the attacker’s perspective.

This approach helps in determining the potential impact of a vulnerability and assists in prioritizing mitigation efforts.

Each vulnerability in a VISS analysis has thirteen distinct impact characteristics, each of which is divided into impact categories that are particular to the Platform, Infrastructure, and Data. The VISS computation generates a score between 0 and 100 using the chosen values for each variable. 

When a vulnerability is detected in a system, network, environment, or product, the entity responsible for maintaining it typically assigns a VISS score to assess the severity of the vulnerability. This scoring can be generated internally by the company or by an external third-party team, such as a bug bounty triage team, which evaluates the vulnerability on behalf of the company.

The VISS tool can perform additional analysis beyond the basic vulnerability assessment. This may include metrics such as a CVSS score, a STRIDE and/or DREAD model, the number of impacted customers, possible financial loss, or the presence of a threat to life or property.

If a company wants to factor in any of these extra variables, VISS allows for the flexibility to develop and add metric alternatives to the VISS calculator.

Thirteen aspects of the impact
Thirteen aspects of the impact

A score is calculated using a set of equations that consider the weight assigned to each variable and their relation and impact on each other.

VISS computation includes three additional built-in influencing variables, namely MA, MB, and MC. These variables enable magnitude rebasing in situations where the implementing organization has decided which sections of VISS are more or less significant in their particular situation. The values of these variables range from 0 to 1.

Equations
Equations

It is possible to assign each score a corresponding qualitative rating based on a defined scale.

Rating Score
Rating Score