Zoom’s security journey: Our 2024 bug bounty year in review

At Zoom, security isn’t just a feature — it’s foundational to everything we build. We’re excited to share the remarkable progress we’ve made through our bug bounty initiatives in partnership with HackerOne. This year represented our strongest commitment yet to crowdsourced security, engaging with nearly 1000 talented researchers worldwide to make our products more secure for millions of people.

This year, we continued our strategic approach of running multiple complementary programs:

• Public “VDP” Bug Bounty Program: our front door for the global security researcher community
• Private Program: working closely with select researchers on sensitive features
• Zoom VIP: collaborating with elite researchers on our most critical systems
• Specialized challenges: targeted security initiatives for emerging products

“Our multi-tiered approach lets us match the right security talent with the right testing environments,” explained Sandra McLeod, interim Chief Information Security Officer at Zoom. “This strategy delivered exceptional results throughout 2024.”

Our bug bounty programs saw impressive engagement this year, with hundreds of unique vulnerabilities identified and addressed. Zoom’s engineering team’s efforts have resulted in a significant reduction in the average time-to-fix compared to previous years. Average time to resolution improved by over 90% from February 2024 to January 2025, and researcher participation doubled during the same period. According to HackerOne, the Zoom Bug Bounty program is among the top 10 with regard to bounty payouts across their entire platform. The statistics tell a compelling story: our security team resolved critical issues before they could be exploited, protecting our users while rewarding the talented researchers who help safeguard our platform.

Several standout vulnerabilities discovered through our programs led to key security improvements, including:

• Enhanced authentication mechanisms across multiple services
• Hardened API endpoints against emerging exploitation techniques
• Strengthened data access controls in our cloud infrastructure
• Refined permission systems in our collaboration tools

Each vulnerability addressed represents not just a patch, but a learning opportunity that has made our entire development process more secure.

Behind every vulnerability report is a dedicated security researcher who chose to work with us to make Zoom more secure. We’re immensely grateful to this community and proud to highlight some exceptional contributors:

• Several researchers achieved “elite” status in our program this year
• Our top contributor identified 12 significant vulnerabilities
• We welcomed hundreds of first-time reporters to our program

“The relationship between Zoom and the security research community has never been stronger,” noted our Bug Bounty program manager Clara Andress. “The collaborative atmosphere has fostered mutual respect and produced outstanding security outcomes.”

As we enter the new year, we’re excited to announce several enhancements to our bug bounty initiatives:

• Expanded scope to include our newest product offerings
• Increased bounty amounts across all severity levels
• Faster triage process through enhanced automation
• More specialized challenge events focused on emerging technologies

Our commitment remains unwavering: to build the most secure communications platform possible through open collaboration with the security community.

Whether you’re an experienced vulnerability researcher or just starting your security journey, we invite you to participate in our bug bounty programs. Together, we can continue building a more secure digital world. Submit your ‘@wearehackerone.com’ email address to ‘bugbounty@zoom.us’ to join the team.

To learn more about Zoom privacy and security, visit our Trust Center. Found a bug? Submit a vulnerability issue here.