Since its inception in 2020, Zoom’s private bug bounty program has awarded US$2.4 million in payments and swag to security researchers, recruiting over 800 ethical hackers via the HackerOne platform.
In 2021 alone, it paid $1.8 million to researchers for helping to identify and resolve more than 400 security bugs, with its bounties now ranging from $250 up to $50,000.
Zoom’s average initial response time to bug submissions is under four hours with full triage of reports typically taking less than 48 hours, while bounties are typically paid within 14 days of report submission. The videoconferencing platform’s foray into the bug bounty sphere has brought early success, but how does it calculate ROI for such an undertaking, and what lessons can CISOs learn when it comes to selling bug bounty concepts to senior management?
How Zoom developed its bug bounty program in 2021
In a review of its bug bounty program, Zoom outlined several key updates it implemented in 2021 to improve the process with particular focus on supporting researchers and attracting new talent. These include the introduction of a “bounty menu,” which provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure.
Zoom also enabled a public Vulnerability Disclosure Program (VDP) allowing anyone, not just established security researchers, to submit vulnerability reports. It said that this has streamlined the intake of reports and allows the right teams at Zoom to get involved rapidly, which ultimately leads to faster bug remediations and a more secure product.
In October, the firm launched its VIP Bug Bounty program, which is focused on the licensed versions of Zoom solutions and has expanded the scope of security testing. Furthermore, the team focused on decreasing initial response, triage, remediation, and bounty pay out times to achieve the metrics mentioned above along with hosting meet-and-greet meetings with researchers around the world.
Zoom CISO Jason Lee tells CSO that these things have been key to the development and success of the program over the last year.
“Our team aims to maintain strong communication with researchers, and we strive for prompt response times. We’re also looking to continuously improve the program. For instance, just last year we raised our maximum bug bounty to $50,000 to further incentivise researchers and help match the time and effort they were spending on finding bugs.”
Zoom’s bug bounty ROI and selling to senior leadership
While a total payout of $2.4 million reflects a significant investment and one that many senior management teams may balk at, Lee says that the ROI for quickly identifying and fixing vulnerabilities far outweighs bounty outlay when taking into consideration the potential costs of even a single data breach.
“We measure the Zoom Bug Bounty program not only in terms of the number of bugs we’re able to fix, but also in getting more eyes on reviewing our products,” he adds. “We’re able to tap into more diverse talents and skills sets and gather a greater, outside perspective to look for potential bugs.”
This selling point is key for getting senior management on board with bug bounty concepts and is evidence of the long-term security advantages of short-term bounty investment that CISOs should focus on, he says.
“Bug bounty plays a role as part of our larger security strategy. It’s a proactive way for us to track down bugs and harden our attack surface. We find a lot of value in identifying possible vulnerabilities before the bad actors, so that we can fix them promptly and keep our users safe. We also feel strongly about rewarding researchers for their hard work and efforts to enhance the security of our platform.”