Zoom’s Bug Bounty program helps protect customers

© Provided by Free Press Journal Zoom’s Bug Bounty program helps protect customers

Zoom has released the FY23 results of the company’s Bug Bounty Program. In an effort to protect customers by quickly identifying bugs, the invitation-only program helps Zoom connect and engage with researchers who help identify risks. In 2022, Zoom invited researchers to join their HackerOne program and welcomed more members into the Bug Bounty Program.

2022 in retrospect

The ethical hacker community can sometimes detect bugs that may only be discovered in certain circumstances. That’s why the bug bounty program focuses on recruiting skilled, effective researchers. In 2022, the company sent additional invitations to researchers to join our HackerOne program with a focus on attracting active security talent. The company also likes to go beyond the program to find talent, so it tapped into the community via industry events like H1-702.

To celebrate successful report submissions and the hard work researchers conduct on behalf of Zoom, the company awarded $3.9M in bounties to hundreds of researchers in 2022, and over $7M to date since the program began.

Beyond identifying vulnerabilities, outside researchers’ support has helped the program make other forms of progress at Zoom. The reports demonstrate items that need attention, flag root-level causes for issues, create better cross-functional alignment, and find potential threats before they become a problem. As a result, the time to resolution for bug bounty reports has significantly improved over the past two years.

Updating our program for 2023 and beyond

Looking ahead to 2023 and beyond, Zoom is evolving the program to add a scoring system called the Vulnerability Impact Scoring System (VISS), which will be used alongside the industry-standard Common Vulnerability Scoring System (CVSS). VISS analyzes thirteen different aspects of impact for each vulnerability reported as they relate to Zoom infrastructure, technology, and security of customer data, seeking to focus more on measurability responsibly demonstrated impact, rather than the theoretical possibility of exploitation.