Zoom’s Security Team is committed to protecting our users and their data. We believe the independent security research community is a key contributor to the security of the internet and welcome reports of potential security issues.
This policy provides guidelines for security researchers to conduct ethical research and coordinate disclosure of security vulnerabilities to Zoom.
We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us. We encourage security researchers to report potential security vulnerabilities they’ve discovered so we can fix them and keep our users safe.
This program is only for the coordinated disclosure of potential software security vulnerabilities.
Vulnerability Disclosure Policy
Program Rules
- Notify us as soon as you discover a potential security vulnerability. Please do not attempt to prove your vulnerability on your own.
- Only use or access accounts and information that belong to you.
- Do not destroy or modify data that is not yours.
- Do not degrade the performance of Zoom products and services or our users.
- Do not perform social engineering, physical, or denial of service attacks on Zoom personnel, locations, or assets.
- Follow HackerOne’s disclosure guidelines, this Vulnerability Disclosure Policy, and all applicable laws.
Scope
- This policy applies to Zoom’s products, services, and systems. Always be careful to verify whose assets you are testing while performing research.
- Vulnerabilities found in vendor systems fall outside of this policy’s scope and should be reported directly to the vendor via their own disclosure programs.
- If you aren’t sure if a system is in scope or need help reporting a finding to a vendor, contact us at bugbounty@zoom.us. We’re happy to help!

Out of Scope Vulnerabilities
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working proof of concept.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or secure flags on cookies.
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).
- Software version disclosure / banner identification issues / descriptive error messages or headers (e.g., stack traces, application or server errors).
- Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing.
- Open redirect — unless an additional security impact can be demonstrated.
How to Report a Vulnerability
We accept potential security vulnerability reports through our public Vulnerability Disclosure form Here. We will acknowledge receipt of your report within one business day.
What we would like to see from you
To help us triage and remediate potential findings, a good vulnerability report should:
-
Describe the vulnerability, precisely where it was discovered, and the real-world impact.
-
Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
-
Please include one vulnerability per report (unless in an attack chain).
-
Don’t report automated scanner results without proof of exploitability.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
-
We will acknowledge that your report has been received within one business day.
-
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.
-
We will maintain an open dialogue to discuss issues.

Other Terms and Conditions
Your participation in the Zoom Bug Bounty program does not create any kind of employment relationship or partnership between you and Zoom. You may not represent yourself as a Zoom employee or someone who is affiliated in any way with Zoom. You must comply with all applicable laws in connection with your participation in this program. You are responsible for any applicable taxes associated with any reward/bounty you receive. Vulnerability reports received prior to the launch of this program are not eligible for rewards and may not be re-submitted for a reward. You may not utilize any Zoom logos, trademarks, or service marks without written authorization from Zoom. Zoom reserves the right to modify this policy at any time, and without prior notification, by posting an updated version of this document. Zoom reserves the right to terminate this program at any time and without prior notice.
Intellectual Property
Participating in the Zoom Bug Bounty program does not grant you, or any other third party, any rights to Zoom intellectual property, product, or service. All rights not otherwise granted within this policy are expressly reserved by Zoom. Regardless if a bounty is awarded for a report submission, you hereby assign to Zoom all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to Zoom for the submissions, and that your participation in the Zoom Bug Bounty program does not violate any agreement you may have with any other third party, such as your employer.