When videoconferencing service Zoom searched for a better way to assign a severity to vulnerabilities found during bug bounty programs, the company’s security team could not find a suitable approach: The popular Common Vulnerability Scoring System (CVSS) was too subjective, and the Exploit Prediction Scoring System (EPSS) was too focused on the probability of exploitation.
The company decided to create its own — the Vulnerability Impact Scoring System, or VISS — and publicly released the specification for the rankings in a calculator on its site. The scoring system helps both Zoom and any vulnerability researcher calculate the potential risks of a vulnerability, and thus the potential rewards, leading to a greater focus on critical and high severity vulnerabilities and less focus on medium and low severity, says Roy Davis, security manager at Zoom.