Connect with us

Hi, what are you looking for?


Risk Management

Zoom Unveils Open Source Vulnerability Impact Scoring System

Zoom launches an open source Vulnerability Impact Scoring System (VISS) tested within its bug bounty program.


Video conferencing giant Zoom on Thursday unveiled an open source vulnerability impact scoring system that it has been developing for the past year.

The Vulnerability Impact Scoring System, or VISS, is a customizable framework that provides a web-based user interface and algorithms to help organizations assess and prioritize vulnerabilities based on actual demonstrated exploitation rather than theoretical impact.

The company says VISS aims to complement the widely used Common Vulnerability Scoring System (CVSS), helping enhance incident response capabilities. 

Zoom has been testing the system within its bug bounty program since March and said the use of VISS has led to an increase in reports describing critical and high-severity vulnerabilities, with researchers investing more time and energy to demonstrate the practicality of their exploits.

VISS analyzes vulnerabilities based on 13 impact aspects focusing on platform, infrastructure and data. The severity of impact is shown by a numerical score ranging from 0 to 100, which is also influenced by a ‘compensating controls’ metric, which enables the user to specify the existence of compensating security controls that would mitigate exploitation.

It remains to be seen how widely VISS gets adopted by organizations. The fact that it has been developed by a commercial organization could lower its chances of being widely used. 

There are several other vulnerability scoring and classification systems, including Stakeholder-Specific Vulnerability Categorization (SSVC), Exploit Prediction Scoring System (EPSS), and Tenable’s Vulnerability Priority Rating (VPR).

While they are being used to some extent, they seem unlikely to replace or be widely used alongside CVSS, which has been the industry standard for many years. 

CVSS has some issues, including subjectivity, narrow scope, and improper representation of real-world risks. However, the recently launched CVSS 4.0 aims to address some of these limitations. 

Advertisement. Scroll to continue reading.

On the other hand, the general consensus seems to be that CVSS should not be used on its own to score risk or prioritize vulnerability patching. 

Related: Traffic Light Protocol 2.0 Brings Wording Improvements, Label Changes

Related: Zoom Paid Out $3.9 Million in Bug Bounties in 2022

Related: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.