Digital bugs amid binary code. [security threats / malware / breach / hack / attack]

Zoom’s bug bounty ROI clear as program pays $1.8 million to repair over 400 bugs

Posted on

Since its inception in 2020, Zoom’s personal bug bounty program has awarded $2.4 million in funds and swag to safety researchers, recruiting over 800 moral hackers through the HackerOne platform. In 2021 alone, it paid $1.8 million to researchers for serving to to establish and resolve greater than 400 safety bugs, with its bounties now starting from $250 as much as $50,000.

Zoom’s common preliminary response time to bug submissions is underneath 4 hours with full triage of experiences usually taking lower than 48 hours, whereas bounties are usually paid inside 14 days of report submission. The videoconferencing platform’s foray into the bug bounty sphere has introduced early success, however how does it calculate ROI for such an endeavor, and what classes can CISOs study in the case of promoting bug bounty ideas to senior administration?

How Zoom developed its bug bounty program in 2021

In a assessment of its bug bounty program, Zoom outlined a number of key updates it applied in 2021 to enhance the method with specific give attention to supporting researchers and attracting new expertise. These embrace the introduction of a “bounty menu,” which gives researchers with particular bounty quantities based mostly on the kind of vulnerability discovered and the demonstrated impression it could have on Zoom’s customers and infrastructure.

Zoom additionally enabled a public Vulnerability Disclosure Program (VDP) permitting anybody, not simply established safety researchers, to submit vulnerability experiences. It stated that this has streamlined the consumption of experiences and permits the fitting groups at Zoom to become involved quickly, which finally results in quicker bug remediations and a safer product.

In October, the agency launched its VIP Bug Bounty program, which is concentrated on the licensed variations of Zoom options and has expanded the scope of safety testing. Moreover, the group centered on reducing preliminary response, triage, remediation, and bounty pay out instances to attain the metrics talked about above together with internet hosting meet-and-greet conferences with researchers world wide.

Zoom CISO Jason Lee tells Koderspot that this stuff have been key to the event and success of this system over the past 12 months. “Our group goals to keep up robust communication with researchers, and we try for immediate response instances. We’re additionally seeking to repeatedly enhance this system. For example, simply final 12 months we raised our most bug bounty to $50,000 to additional incentivize researchers and assist match the effort and time they had been spending on discovering bugs.”

Zoom’s bug bounty ROI and promoting to senior management

Whereas a complete payout of $2.4 million displays a big funding and one which many senior administration groups might balk at, Lee says that the ROI for rapidly figuring out and fixing vulnerabilities far outweighs bounty outlay when bearing in mind the potential prices of even a single knowledge breach . “We measure the Zoom Bug Bounty program not solely when it comes to the variety of bugs we’re capable of repair, but additionally in getting extra eyes on reviewing our merchandise,” he provides. “We’re capable of faucet into extra various skills and abilities units and collect a higher, outdoors perspective to search for potential bugs.”

This promoting level is vital for getting senior administration on board with bug bounty ideas and is proof of the long-term safety benefits of short-term bounty funding that CISOs ought to give attention to, he says. “Bug bounty performs a job as a part of our bigger safety technique. It is a proactive method for us to trace down bugs and harden our assault floor. We discover loads of worth in figuring out doable vulnerabilities earlier than the dangerous actors, in order that we will repair them promptly and preserve our customers protected. We additionally really feel strongly about rewarding researchers for his or her laborious work and efforts to boost the safety of our platform.”

Copyright © 2022 Koderspot, Inc.