Year in review: What our 2023 Bug Bounty program means for Zoom security

Security is a constant focus at Zoom and an ongoing investment we remain committed to through a variety of programs and initiatives. The Zoom Bug Bounty Program is one such initiative aimed at enhancing online security and a shining example of the collaboration, innovation, and continuous improvement that encompasses the entire Zoom community. Since 2019, we’ve been actively working with the researcher community, and now, we are thrilled to announce we have awarded more than $10 million in bug bounty payments to help fortify Zoom's defenses and protect the privacy and security of our users. 

Zoom’s Bug Bounty Program is designed to incentivize the discovery and responsible disclosure of security vulnerabilities. In the past two years, we have implemented a streamlined process to ensure prompt reactions and responses to all security reports. Once a bug has been detected and submitted by one of our 800+ researchers, our security team will have the report analyzed, reproduced, and submitted to the correct internal development team for remediation, on average, within just a few hours. 

Over the past 3+ years, Zoom has been driving down the cost per report of program operation, while at the same time increasing the identification of vulnerabilities, which have a tangible impact on our platform. In just three years, we’ve decreased the cost per a valid report by 40% and observed more than double the reported submissions.

VISS

In January 2023, the Bug Bounty team committed to building, refining, and releasing an innovative new mechanism to measure the real-world impact the exploitation of a vulnerability has on a system. The March implementation of the Vulnerability Impact Scoring System, or VISS, was the result of this collaborative effort that we open-sourced on Github. 

Zoom has been utilizing VISS for more than a year and has seen growing interest from other bug bounty teams looking for a more objective measure of vulnerability impact. To date, the collaboration and feedback about VISS has been positive. Security researchers are contributing feedback as well, which increases the collaboration and focus of VISS, and Zooms’ transparent approach to bug bounty management.

“VISS allows us to tailor the security researchers’ work so that we’re focused on the things that are most important, that have the highest level of impact, and then our payouts are oriented accordingly,” explains Michael Adams, Zoom CISO. “Not only do I want to pay accordingly, but I want to incentivize accordingly, and if I can’t provide clarity within my scoring system, it’s hard for them to understand. We’re now able to provide a certain degree of clarity,” says Adams.

To delve into the specifics – and to try out Zoom’s implementation of the VISS calculator – check out the complete VISS specification.

HackerOne

We were also thrilled to be a sponsor of this year’s HackerOne H1-4420 event, which took place on June 22, 2023, at CodeNode in London. This event provided us with an invaluable opportunity to collaborate with over 90 of the most talented ethical hackers from 41 countries, all working together to help enhance the security of the Zoom platform. By actively engaging with this community, we can not only mitigate risks but also foster innovation and continuously improve our services. Here’s a recap of the event.

Bug bounty awards

2023 was a big year for us as we made bug bounty award payments of more than $2.4 million for 1,000+ separate valid reports submitted by more than 200 different security researchers. This brought the cumulative total bug bounty awards to more than $10 million.

As artificial intelligence and machine learning are more tightly integrated into Zoom products, the Zoom Bug Bounty team has been busy working with many of our top researchers to identify vulnerabilities. The rise of generative AI introduces new security and privacy risks including misinformation, data poisoning, and data exfiltration. By using the Campaigns functionality within our VIP programs, the HackerOne platform provides all the backend processing power Zoom needs to have meaningful, bi-directional collaborations with researchers. 

In addition to our focus on AI, we have a robust set of features slated for release this year as part of our 2024 roadmap. With this in mind, we look forward to a wave of new report submissions from our “Spring BREAKAGE” promotion, which began April 1, 2024, and runs throughout April. Several new features have been added to the testing scope, and bounties have been increased for this promotion.

If you’re interested in helping to make Zoom more secure, email your HackerOne profile name to bugbounty@zoom.us or visit the Zoom careers page to review the open positions within the Trust and Security teams. Happy hacking!

To learn more about Zoom privacy and security, visit our Trust Center. Found a bug? Submit a vulnerability issue here.