Zoom awarded $1.8 million in bug bounty rewards during 2021

Cloud-based video conferencing service firm Zoom has given away $1.8 million under its bug bounty program in 2021. The amount is more than four times it did last year. The company rewarded 92 researchers with bounties for tracing out 401 vulnerabilities during the year, out of which 5% were critical issues, the company revealed in blogpost.    

Under the big bounty programs, the companies pay ethical hackers to comb through their code, find bugs and report and fix them. In the case of Zoom, the company is looking to augment its programmes for supporting independent vulnerability research into its platform. 

“Companies are always in competition for time and attention from researchers,” Roy Davis, Lead Security Engineer, said in the post. “One of our goals this year is to increase our engagement with researchers through live hacking events and attendance at security conferences.” 

Davis revealed that Zoom has invested in a skilled, global team of security researchers via a private bug bounty program on ‘HackerOne’s platform’, which he claims is the industry’s leading provider for recruiting and engaging with security-focused professionals. However, he clarified that private bug bounty programs are invitation-only, which allows companies to hand-pick security researchers based on their previous work.

HackerOne calculates statistics for each researcher based on their signal-to-noise ratio, impact on the programs they have contributed to, and reputation, all of which help measure how relevant and actionable their findings will be. Zoom has recruited over 800 security researchers on the HackerOne platform, as mentioned in the same blog by him. 

Zoom is now moving away from a static bounty range based only on the severity of the vulnerability reported, and implemented a “Bounty Menu”. This menu provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure. In January 2021, Zoom raised the top end of the bounty table to $50,000 for a single report and the bottom end to $250, as stated by the company in its blog report.