Zoom Pays $1.8 Million in Bug Bounties
In other cybersecurity news …
Zoom last year awarded security researchers with $1.8 million for helping identify and resolve over 400 bugs through its private bug bounty program.
Zoom works with more than 800 security researchers globally via the HackerOne platform. Zoom’s bounties range from $250 up to $50,000. It has awarded a total of $2.4 million in bounty payments and swag since the program’s inception.
Roy Davis is Zoom’s lead security engineer.
“When the pandemic hit in early 2020, Zoom meetings reached 300 million daily meeting participants in just a few short months,” he said. “Staying ahead of emerging and potential cyber threats became a priority and required continuously strengthening the security and integrity of the platform to keep Zoom’s users secure. As Zoom’s security surface continued to harden, we raised our maximum bounty amount to accurately reflect the time and effort invested by the researchers. Over the past year, Zoom was able to attract and partner with top researcher talent to bolster its security posture.”
To support existing researchers and attract new ones, Zoom also implemented several key updates to its bug bounty program last year. It moved away from a static bounty range based only on the severity of the vulnerability reported and implemented a bounty menu. This menu provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure.
In January 2021, Zoom raised the top end of the bounty table to $50,000 for a single report and the bottom end to $250.
Zoom also introduced a public vulnerability disclosure program (VDP). It allows anyone, not just established security researchers, to submit vulnerability reports to Zoom.
“We’ve learned and grown so much in 2021, and we’re excited to expand these efforts and work with more ethical hackers in 2022,” Davis said.
