Updated: Jul 5
Zoom's bug bounty ROI cleared as the program pays $1.8m for resolving 400 bugs.
From its beginning in 2020, zoom has awarded $2.4 million in forms of bounty and swags to Bounty Hunters through its private bug bounty program, recruiting more than 800 ethical hackers through the HackerOne platform. In 2021 alone, it paid $1.8 million to bounty hunters for fixing more than 400 bugs, with its highest bounty of $50,000 for a single report and bottom end to $250.
Zoom's initial average response time is less than 4 hours; its complete triage reports take not more than 48 hours. And within a short span of 14 days, bounties are paid to bounty hunters.
How Zoom evolved its bounty program.
Zoom moved away from the static bounty by introducing a "bounty menu," which provides bounty hunters with a specific bounty on the type of vulnerability and its severity for the users.
By enabling a Vulnerability Disclosure Program(VDP), which provides everyone access to submit vulnerability reports to Zoom. This has streamlined the large flow of reports, which leads to faster bug remediations and a highly secure product.
In October 2021, Zoom launched the VIP Bounty program focused on the licensed versions of Zoom solutions, and hence it expanded the scope of security testing.
Zoom hosted several meet-and-greet meetings with bounty hunters worldwide to regain ongoing relationships and establish new relationships.