What is VISS?
The Vulnerability Impact Scoring System (VISS) captures objective impact characteristics of software, hardware, and firmware vulnerabilities in relation to infrastructure, technology stack, and customer data security. Unlike the Common Vulnerability Scoring System (CVSS), which subjectively evaluates vulnerabilities primarily from an attacker's viewpoint and assumes the worst-case impact, VISS measures responsibly demonstrated impact from a defender's perspective. VISS focuses solely on actual exploitation demonstration, disregarding the theoretical possibility of exploitation. The resulting numerical scores indicate the severity of impact within a specific environment given the risk profile and tolerance of the environment owner. It's important to note that VISS doesn't replace CVSS but rather serves as a complementary evaluation system from a different standpoint.
VISS analysis evaluates thirteen impact aspects for each vulnerability, categorized into Platform, Infrastructure, and Data groups. The resulting VISS score ranges from 0 to 100 and can be adjusted using the Compensating Controls metric. Typically, the organization responsible for the system, environment, network, or product where the vulnerability is found calculates VISS scores. Alternatively, an external party like a bug bounty triage team may perform the evaluation on their behalf.
VISS aims to enhance incident response and security teams worldwide to ensure a secure internet for everyone. By recognizing and addressing that, scoring and responding effectively to security incidents can be daunting without objectively measuring the impact of a vulnerability.