Zoom recently introduced VISS, an open source Vulnerability Impact Scoring System designed to evaluate and prioritize vulnerabilities based on actual exploitation, not just theoretical impact. The customizable framework offers a web-based interface and algorithms, intending to complement the widely used CVSS. VISS, tested within Zoom’s bug bounty program, has reportedly increased critical vulnerability reports by encouraging researchers to demonstrate exploit practicality. Despite its potential, VISS’s adoption remains uncertain due to being developed by a commercial entity. While other scoring systems like SSVC, EPSS, and VPR exist, CVSS continues as the industry standard, although it’s criticized for its subjectivity and narrow scope. The newly launched CVSS 4.0 aims to address these limitations, yet the consensus suggests it shouldn’t be the sole factor in risk assessment or vulnerability patch prioritization.
Read more:https://www.securityweek.com/zoom-unveils-open-source-vulnerability-impact-scoring-system/