If you’re a college student, professor, a teen just learning to hack into everyday things , or a Zoom user who just “noticed something weird,” there’s an opportunity to join an ethical hacker community.
Videoconferencing giant Zoom has invested in a global team of security researchers via a private bug bounty program on HackerOne’s platform. The platform provides recruiting tools and conversations with security-focused professionals.
Since 2019, Zoom has recruited over 800 security researchers on the HackerOne platform. Their collective work has resulted in the submission of numerous bug reports, and awards of over 2.4 million in bounty programs, swag and gifts since the program was introduced.
In 2021, Zoom awarded $1.8 million across 401 reports, writes Roy Davis, lead security engineer at Zoom in a blog post.
Zoom’s Vulnerability Management and Bug Bounty (VMBB) team focused on navigating a competitive recruitment landscape and attracting more security researchers to join the program.
To attract top talent, Zoom established the following principles to help guide and improve the program, according to Davis:
- Clear and concise program policies that spell out what types of testing are allowed, details regarding the program’s “Safe Harbor” policy, and a menu of potential bounty payout ranges for specific types of vulnerability reports.
- Consistently increasing the breadth of the attack surface, also known as the “scope” of a bug bounty program, and clearly defining what is specifically out of scope, or off-limits.
- Minimizing program response, remediation, and payout time frames. Nobody likes to wait to feel heard or to be paid for their work, and this includes ethical hackers.
- Professional relationships and direct rapport with the Zoom employees who manage the bug bounty program, triage report submissions, and determine bounty payments.
- Competitive bounties that accurately reflect the work done by the researchers and the severity of the impact a vulnerability may have if exploited.
- Zoom has also enabled a vulnerability disclosure program (VDP) which allows anyone not just establish security researchers just submit vulnerability reports to Zoom.
In October 2021, Zoom launched its VIP Bug Bounty program focusing on licensed versions of Zoom solutions and has expanded the scope of security testing.
Zoom metrics show that the average initial response time is just under four hours while full triage of an incoming report typically takes less than 48 hours. Bounty payments are usually paid within 14 days of report submission.
If you’re interested in helping to make Zoom more secure, email your HackerOne profile name to [email protected] or visit the Zoom careers page to review the open positions within the Trust and Security teams.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply