Protecting Zoom and customers: a look at Zoom’s Bug Bounty program’s success in 2022
In security, it’s all about who gets there first. We race to identify bugs and issues before the bad guys do, so we tap the ethical hacking community to help us get ahead.
We source this help through our Zoom Bug Bounty program, which lets us connect with and engage expert researchers that help us proactively mitigate risk and create a safer environment for our customers. And we’ve accomplished a lot as a community in the past year. Here’s a look:
2022 in retrospect
We test our infrastructure every day at Zoom, but we know we’re not immune to edge-case vulnerabilities. So, we call in backup — the ethical hacker community can sometimes detect bugs that may only be discovered in certain circumstances.
That’s why our bug bounty program focuses on recruiting skilled, effective researchers. In 2022, we sent additional invitations to researchers to join our HackerOne program with a focus on attracting active security talent. We also like to go beyond our program to find talent, so we tapped into the community via industry events like H1-702.
These researchers work hard to help us, so we strive to celebrate successful report submissions accordingly. In the fiscal year 2023, we awarded $3.9 million in bounties to hundreds of researchers and over $7 million to date since the program began.
Beyond identifying vulnerabilities, outside researchers’ support has helped us make other forms of progress at Zoom. We used these reports to demonstrate items that needed attention, flag root-level causes for issues, create better cross-functional alignment, and find potential threats before they become a problem. As a result, our time to resolution for bug bounty reports has significantly improved over the past two years.
Updating our program for 2023 and beyond
At the start of this year, we restructured our team and developed updates for the program for FY24. We evaluated the researchers currently in our program to make sure everyone is active and contributing. We want to put the right foot forward in the new year, and that all starts by working with high-caliber, effective researchers.
Zoom’s Bug Bounty program is also implementing a brand new vulnerability impact scoring system to help researchers do their best work yet. While we will continue to use the industry standard Common Vulnerability Scoring System (CVSS) to score reports, we’re evolving our program to add a companion scoring system called the Vulnerability Impact Scoring System (VISS) that analyzes 13 different aspects of impact for each vulnerability reported as they relate to the Zoom infrastructure, technology, and security of customer data. With the implementation of VISS, Bug Bounty can focus more on measuring responsibly demonstrated impact, rather than the theoretical possibility of exploitation.
The road ahead
As the Zoom Bug Bounty program has grown over the past year, we’re continuing to evolve and mature our processes, bounty awards, and testing scope. We’re very excited to see the impact of our new scoring system and all the good our researchers can do in 2023.