There are two matters also brought up in this inquiry that deserve to be addressed.
First, a local denial of service (DOS) vulnerability for Mac devices. In this vulnerability, a hacker could potentially target a Mac user who already has Zoom installed with an endless loop of meeting join requests, effectively causing the targeted machine to lock up. Again, we have no indication that this ever happened. We released a fix for this in May 2019, though we did not force our users to update because it is empirically a low-risk vulnerability.
Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.
Upon his initial communication to Zoom, the researcher asked whether Zoom provides bounties for security vulnerability submissions. Zoom invited the researcher to join our private paid bug bounty program, which he declined because of non-disclosure terms. It is common industry practice to require non-disclosure for private bug bounty programs.
Once the issue was brought to our Security team’s attention, we responded within ten minutes, gathering additional details, and proceeded to perform a risk assessment. Our determination was that both the DOS issue and meeting join with camera on concern were both low risk because, in the case of DOS, no user information was at risk, and in the case of meeting join, users have the ability to choose their camera settings. Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. Ultimately, Zoom decided not to change the application functionality, though as mentioned above, we will be saving the user’s desired camera settings after a Zoom user joins their first meeting from a particular device.
We are grateful to this researcher for
raising these concerns. We recommend that any other security concerns be sent to our 24/7 support team via
support.zoom.us. Currently, this initiates our private bug bounty program, wherein we pay researchers for information on product vulnerabilities based on severity. We acknowledge that our website currently doesn’t provide clear information for reporting security concerns. As such, in the next several weeks, Zoom will go live with its public vulnerability disclosure program, supplementing our existing private bug bounty program. With the program launch, our website will be updated with a web submission form for all security-related concerns.