Zoom paid $3.9 million to bug bounty hunters in the fiscal year 2023 which means its Bug Bounty program has now surpassed $7 million in awards.
The program, which began in 2019, calls on the expertise of the ethical hacking community to find vulnerabilities in Zoom’s platform. In return, Zoom provides payment which averages nearly $4.5k per bug, based on its 2021 figures.
To attract professional hackers, Zoom created a private program via the cybersecurity company, HackerOne, which Zoom describes as the “industry’s leading provider” for connecting with IT security professionals. It also sought to attract talent through events, such as H1-702.
Roy Davis, Security Manager at Zoom, said: “In security, it’s all about who gets there first.
“We race to identify bugs and issues before the bad guys do, so we tap the ethical hacking community to help us get ahead.
“We source this help through our Zoom Bug Bounty program, which lets us connect with and engage expert researchers that help us proactively mitigate risk and create a safer environment for our customers. And we’ve accomplished a lot as a community in the past year.”
As well as locating vulnerabilities, hackers help Zoom to improve its service in a number of other ways. The bug reports which are sent in detail areas that need attention, highlight root-level causes, enhance cross-functional alignment, and isolate threats before they cause problems.
Zoom’s security team is also now resolving reports at a much quicker rate than it was when it first started.
2023 and Future Updates
Zoom has “restructured” its team and developed updates for the fiscal year 2024 program, which may be connected to the 15% of staff laid off from Zoom last month. Researchers were evaluated based on their level of contributions, which Zoom says will create a more effective task force and put it in a better position going forwards.
Zoom’s Bug Bounty program is updating its vulnerability scoring system by adding a companion scoring system, the Vulnerability Impact Scoring System (VISS), to work in conjunction with the industry standard, Common Vulnerability Scoring System (CVSS).
The VISS is expected to improve the quality of submissions by assessing 13 areas of impact across Zoom’s infrastructure, technology, and customer data security. It will help to measure the potential impact of weaknesses, adding further context beyond any and all theoretical exploitations.
HackerOne program
HackerOne is a cybersecurity company, which specialises in attack resistance management through the use of ethical hackers and other techniques. The HackerOne website claims its members have collectively earned more than $100 million in rewards.
Last year, Davis explained the benefits of employing HackerOne professionals: “While Zoom tests our solutions and infrastructure every day, we know it’s important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances.
“That is why Zoom has invested in a skilled, global team of security researchers via a private bug bounty program on HackerOne’s platform, which is the industry’s leading provider for recruiting and engaging with security-focused professionals.”
In 2022, Zoom reported that it had recruited over 800 hackers via the HackerOne platform. Private bug bounty programs, such as this, are invitation-only, and include a list of eligibility criteria that researchers must meet, in order to take part in the Zoom Bug Bounty program.
For example, researchers are not allowed to have been employed by Zoom within the last 12 months. The vulnerability must be original and discovered by the person submitting the report. No reward will be issued for bugs currently being fixed, and more.
There is also a long list of conduct guidelines for hackers to follow, ultimately to ensure ethical practices that do not negatively impact Zoom or its customers.
Last year, Zoom announced several privacy and security updates, including new third-party certifications, privacy features, and security collaborations.