When videoconferencing service Zoom looked for a greater option to assign a severity to vulnerabilities discovered throughout bug bounty packages, the corporate’s safety crew couldn’t discover a appropriate method: The favored Frequent Vulnerability Scoring System (CVSS) was too subjective, and the Exploit Prediction Scoring System (EPSS) was too targeted on the likelihood of exploitation.
The corporate determined to create its personal — the Vulnerability Affect Scoring System, or VISS — and publicly launched the specification for the rankings in a calculator on its web site. The scoring system helps each Zoom and any vulnerability researcher calculate the potential dangers of a vulnerability, and thus the potential rewards, resulting in a better give attention to crucial and excessive severity vulnerabilities and fewer give attention to medium and low severity, says Roy Davis, safety supervisor at Zoom.
“What we tried to do with that is take away the subjectivity and make all of our choices binary,” he says, including: “Proper now, we’re solely utilizing this scoring to find out the financial awards to measure the rewards [for] the severity of the vulnerability.”
Whereas the corporate will nonetheless use CVSS internally, and can publish CVSS scores for all of its vulnerability advisories, VISS takes loads of the guesswork out of rating the influence of a vulnerability for bug bounties, permitting each bug bounty packages and researchers to calculate the potential rewards in a clear and defensible manner, Davis argues.
However Zoom’s VISS joins a crowded enviornment of bug scoring methods. The CVSS, which simply launched its fourth model, is the most well-liked system for rating vulnerability severity at the moment in use. And the EPSS ranks vulnerabilities on the probability that they are going to be exploited within the subsequent 30 days. There are much less well-known rating methods too: As an example, the Stakeholder Particular Vulnerability Categorization (SSVC), created by Carnegie Mellon College’s Software program Engineering Institute (SEI) in partnership with the US Cybersecurity and Infrastructure Safety Company (CISA), makes use of a choice tree to assist prioritize vulnerabilities.
Zoom’s calculator for the Vulnerability Affect Scoring System. Supply: Zoom.
Whereas Zoom developed its scoring system to calculate bug bounties for its vulnerability rewards program, it might have a lot broader software. A system designed to assist firms put a money worth on reported vulnerabilities might assist higher consider safety points to be patched, says Andrew Braunberg, principal analyst of safety operations providers at Omdia.
“Zoom is … utilizing VISS not simply to bubble up an important vulnerabilities — i.e., prioritization — however to assist assess a greenback worth to the worth of eliminating the danger — i.e., danger quantification,” he says. “It is going to be attention-grabbing to see if VISS is adopted by different organizations. It seems to supply good flexibility and transparency.”
Prompting Safety Researchers to Discover Higher Vulnerabilities
The VISS measures software program flaws on 13 points of their potential influence, leading to a rating from 0 to 100. In the course of the summer season HackerOne H1-4420 dwell hacking occasion, sponsored by Zoom, the corporate used VISS to charge reported vulnerabilities primarily based on influence. The end result: fewer decrease severity vulnerabilities — the share of medium severity fell by 57% — and extra larger severity vulnerabilities, with a 28% improve in crucial points and a 12% improve in high-severity bugs, says Zoom’s Davis.
“Earlier than, we acquired loads of studies that had theoretical influence, and we have been paying them for these bugs,” he says. “In some unspecified time in the future, it’s important to have an indication of precise influence to push your researcher group to the following stage, and we actually achieved that with this over the previous 12 months — we noticed our researchers placing in additional time to essentially flesh out the precise influence.”
In the course of the hacking occasion, Zoom used VISS to charge the bugs discovered by researchers and picked up suggestions about VISS performance. As a result of Zoom is treating hackers as an integral a part of the suggestions loop to enhance VISS, the ranking system has already confirmed invaluable, says Alex Rice, co-founder and CTO at HackerOne.
“We have discovered VISS can assist hackers higher anticipate what rewards they will obtain from a vulnerability,” he says. “Predictable bounty quantities aligns safety analysis to the best influence areas, and that is a win for everybody.”
Concentrate on Payouts Makes a Higher Bug-Bounty System?
Whether or not the give attention to influence makes VISS any extra invaluable than different scoring methods is a matter of debate. Any scoring methods shouldn’t simply replicate what others are already doing, and VISS appears to attempt to cowl some new floor — at the least when it comes to scope, says Brian Martin, vulnerability historian at Flashpoint, a menace intelligence agency.
“Do we’d like one other scoring system? No, however sort of sure,” he says. “On one hand, we’ve got too many SSes. We’ve CVSS model 2, model 3, model 4, we’ve got EPSS, we’ve got the ransomware prediction scoring system — So I am skeptical, however whether it is extra direct and to be utilized for a single objective, corresponding to bug bounties, then I can see it being useful.”
Nonetheless, firms shouldn’t anticipate prioritizing vulnerabilities utilizing VISS to be any simpler than it’s with different methods. Whereas VISS could also be less complicated to calculate, it nonetheless requires educated solutions to assign the appropriate stage of danger to vulnerabilities, says Tim Jarrett, vice chairman of product administration for software program safety agency Veracode.
“Scoring fashions aren’t aren’t silver bullets,” he says. “You truly should undertake them and use them and feed them. And I believe that what this doesn’t do is make the issue of prioritizing vulnerabilities any much less labor intensive.”
For its half, Zoom will proceed to make use of VISS for its bug bounty packages and use CVSS for its inner safety crew to charge third-party vulnerabilities, says Zoom’s Davis.
“CVSS values are excellent for a world viewers, particularly the brand new 4.0 model,” he says. “VISS, alternatively, particularly measures the influence of a vulnerability to a single group.”