Zoom’s Bug Bounty Programs Have Reached $1.8 Mn

Zoom prioritizes safe and secure virtual communication. Hundreds of their internal security engineers are focused on the confidentiality and integrity of communications and meetings, as well as the availability and resilience of their worldwide infrastructure.

They believe it’s vital to establish powerful defenses to keep ahead of threats to their users and infrastructure, which is why they continually test their platform and infrastructure to discover new and possible threats and vulnerabilities.

Zoom’s private bug bounty program has paid out $2.4 million in cash and merchandise to security researchers while also recruiting over 800 ethical hackers via the HackerOne platform. It paid $1.8 million to researchers in 2021 alone for assisting in the identification and resolution of more than 400 security flaws, with rewards currently ranging from $250 to $50,000.

Zoom’s average first response time to bug submissions is less than four hours, and complete triage of complaints normally takes less than 48 hours, with bounties awarded within 14 days of report submission. The videoconferencing platform’s venture into bug bounty has seen early success, but how does it measure ROI for such an endeavor, and what lessons can CISOs learn when pitching bug bounty ideas to top management?

In 2021, Zoom established its bug bounty program.

Zoom revealed five important modifications that the company introduced in 2021 to enhance the process, with a special emphasis on assisting researchers and recruiting fresh talent. The establishment of a “compensation menu” offers researchers particular bounty amounts depending on the kind of vulnerability discovered and the demonstrable effect on Zoom’s users and infrastructure.

Zoom also allowed a public Vulnerability Disclosure Program (VDP), enabling anybody to submit vulnerability reports, not only established security experts. According to the company, this has expedited the input of complaints and allowed the appropriate Zoom teams to get engaged quickly, resulting in speedier bug repair and a more secure product.

The company started its VIP Bug Bounty program in October, which is focused on licensed versions of Zoom products and has broadened the scope of security testing. Furthermore, to accomplish the KPIs indicated above, the team concentrated on minimizing initial response, triage, remediation, and reward payout times, as well as conducting meet-and-greet sessions with researchers from across the globe.

How They Go About Recruiting the program

This past year, TheirnVulnerability Management and Bug Bounty (VMBB) team concentrated on negotiating a difficult recruiting environment and enticing more “rock star” security researchers to join their program by giving an exceptional experience.

To recruit elite talent, they devised the following five principles to assist guide, and enhance their program:

Interested in Joining the Zoom Bug Bounty program

They learned and grew so much in 2021, and they were eager to extend their efforts and collaborate with additional ethical hackers in 2022/23. If you’d like to help make Zoom more secure, send your HackerOne profile name to bugbounty@zoom.us or visit the Zoom careers website to see what opportunities are available on the Trust and Security teams.

Summary

Zoom Bug Bounty invites qualified persons to submit vulnerability reports detailing the detection and exploitation of flaws in specific “in scope” goods and services. Zoom may provide monetary rewards/bounties to the security researcher who filed the report under certain conditions.

References:

https://explore.zoom.us/docs/en-us/vulnerability-disclosure-policy.html#:~:text=The%20Zoom%20Bug%20Bounty%20program,researcher%20who%20submitted%20the%20report.

Bug Zero is a bug bounty, a crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.

Bug Zero is available for both hackers and organizations.

For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.