Zoom - VISS Calculator

v1.1.0

Metric	Key	Value	Weight
ITN - Infrastructure	NA	N/A	0
	S	Single	0.374
	M	Multi	0.812
STN - Software	NA	N/A	0
	S	Single	0.374
	M	Multi	0.812
DTN - Database	NA	N/A	0
	S	Single	0.374
	M	Multi	0.812
TIM - Tenants Impacted	N	None	0
	D	Dev Only	0.7
	O	One	1
	M	Many	1.3
	A	All	1.5
PLI - Platform Impacted	NA	N/A	0
	T	3rd Party Hosted/Tool/Library	0.85
	M	Mobile Application	1
	W	Browser App / API Endpoint	1.1
	D	Desktop Application	1.1
	CUI	Customer Infrastructure	1.25
	ZI	Zoom Infrastructure	1.5
	DOC	Documentation	2
ICI - Confidentiality	N	None	0
	D	Network/DNS Configuration	0.1
	H	Hardware Configuration	0.125
	C	Container Configuration	0.175
	O	OS Configuration	0.215
	S	Software Configuration	0.25
	P	PKI/Secrets Configuration	0.3
	U	User Account Configuration	0.35
	ICRPE	Restricted PE	0.65
	ICRRCE	Restricted RCE	0.69
	ICUPE	Unrestricted PE	0.72
	ICURCE	Unrestricted RCE	0.8
III - Integrity	N	None	0
	D	Network/DNS Configuration	0.125
	H	Hardware Configuration	0.25
	C	Container Configuration	0.325
	O	OS Configuration	0.5
	S	Software Configuration	0.625
	P	PKI/Secrets Configuration	0.7
	U	User Account Configuration	0.75
	RRCE	Restricted RCE	0.8
	RPE	Restricted PE	0.8
	UPE	Unrestricted PE	0.9
	URCE	Unrestricted RCE	0.9
IAI - Availability	N	None	0
	SSS	Single Service on Single Container/VM/Machine	0.062
	SSM	Single Service on Multiple Containers/VMs/Machines	0.124
	SSAPG	Single Service on all Containers/VMs/Machines within a portion of a Geographic Area	0.186
	SSAEG	Single Service on all Containers/VMs/Machines within an entire Geographic Area	0.248
	SSAEI	Single Service on all Containers/VMs/Machines within the entire Infrastructure	0.31
	MSS	Multiple Services on Single Container/VM/Machine	0.372
	MSM	Multiple Services on Multiple Containers/VMs/Machines	0.434
	MSAPG	Multiple Services on all Containers/VMs/Machines within a portion of a Geographic Area	0.496
	MSAEG	Multiple Services on all Containers/VMs/Machines within an entire Geographic Area	0.558
	MSAEI	Multiple Services on all Containers/VMs/Machines within the entire Infrastructure	0.62
	ASS	All Services on Single Container/VM/Machine	0.682
	ASM	All Services on Multiple Containers/VMs/Machines	0.744
	ASAPG	All Services on all Containers/VMs/Machines within a portion of a Geographic Area	0.806
	ASAEG	All Services on all Containers/VMs/Machines within an entire Geographic Area	0.868
	ASAEI	All Services on all Containers/VMs/Machines within the entire Infrastructure	0.93
DCI - Confidentiality	N	None	0
	SU	Affects Data of a Single Victim in a Single Organization per attack	0.23
	SUSTO	Allows Session Takeover of a Single Victim in a Single Organization per attack	0.375
	MU	Affects Data of Multiple Victims within a Single Organization per attack	0.45
	SUATO	Allows Account Takeover of a Single Victim per attack	0.5
	SO	Affects the Data of one entire Organization, impacting all users	0.604
	CODO	Attacker authenticated to Org A can affect data in Org B (Cross Org).	0.66
	MUSTO	Allows Session Takeover of Multiple Victims within a Single Organization with a single attack	0.75
	MUATO	Allows Account Takeover of Multiple Victims within a Single Organization with a single attack	0.85
	MO	Affects the Data of multiple Organizations, impacting all users within all Orgs involved	0.9
	AO	Affects the Data of All Organizations, impacting all users	1
DII - Integrity	N	None	0
	SUDO	Affects Data of a Single Victim in a Single Organization per attack	0.23
	SUSTO	Allows Session Takeover of a Single Victim in a Single Organization per attack	0.45
	MUDO	Affects Data of Multiple Victims within a Single Organization per attack	0.45
	SUATO	Allows Account Takeover of a Single Victim per attack	0.5
	SO	Affects the Data of one entire Organization, impacting all users	0.604
	AO	Attacker authenticated to Org A can affect data in Org B (Cross Org).	0.66
	MUSTO	Allows Session Takeover of Multiple Victims within a Single Organization with a single attack	0.75
	MUATO	Allows Account Takeover of Multiple Victims within a Single Organization with a single attack	0.85
	MO	Affects the Data of multiple Organizations, impacting all users within all Orgs involved	0.9
	AODO	Affects the Data of All Organizations, impacting all users	1
UCI - Compensating Controls	MCC	Multiple Compensating Controls	0.5
	P	Prevents Impact	0.65
	EREK	Exploit Requires Entropic Key	0.7
	ERUI	Exploit Requires Victim Interaction	0.8
	REP	Requires Elevated Privileges	0.8
	L	Limits Impact	0.8
	NA	N/A	1
DAI - Availability	N	None	0
	SUDO	Affects Data of a Single Victim in a Single Organization per attack	0.23
	SUSTO	Allows Session Takeover of a Single Victim in a Single Organization per attack	0.45
	MUDO	Affects Data of Multiple Victims within a Single Organization per attack	0.45
	SUATO	Allows Account Takeover of a Single Victim per attack	0.5
	SO	Affects the Data of one entire Organization, impacting all users	0.604
	AO	Attacker authenticated to Org A can affect data in Org B (Cross Org).	0.66
	MUSTO	Allows Session Takeover of Multiple Victims within a Single Organization with a single attack	0.75
	MUATO	Allows Account Takeover of Multiple Victims within a Single Organization with a single attack	0.85
	MO	Affects the Data of multiple Organizations, impacting all users within all Orgs involved	0.9
	AODO	Affects the Data of All Organizations, impacting all users	1
DCL - Data Classification	N	None	0
	CPUB	Customer - Public	0.1
	P	Zoom Public	0.1
	T	Test Data Only	0.5
	CCFG	Customer - Internal/Org Configuration	1.1
	I	Zoom Internal	1.3
	S	Zoom Confidential	1.5
	R	Zoom Restricted	1.7
	C	Customer - Confidential/Personal Data/PII	2
	CIR	Customer - Irreplaceable	2
	CCON	Customer - Restricted Content/Secrets	3.5