At ZoomAt Zoom, security and privacy aren’t just buzzwords — they are part of our culture and key initiatives. In the ever-evolving landscape of cybersecurity, we know it is essential to try to stay ahead of potential threats. That’s why we leverage the expertise of the ethical hacking community to help identify and address vulnerabilities before they can be exploited by malicious actors. One of the ways we achieve this is through our partnership with HackerOne and our participation in their live hacking events.
We were thrilled to be a sponsor of this year’s HackerOne H1-4420 event, which took place on June 22, 2023, at CodeNode in London. This event provided us with an invaluable opportunity to collaborate with some of the most talented, ethical hackers from around the world, all working together to help enhance the security of the Zoom platform. By actively engaging with this community, we can not only mitigate risks, but also foster innovation and continuously improve our services.
Bringing together the world’s top hackers
The H1-4420 event brought together over 90 security professionals from over 41 countries, with both in-person and virtual participation. These skilled hackers put the Zoom platform under the microscope, searching for potential vulnerabilities across a variety of products, ranging from Zoom Mail and Calendar to Zoom IQ. Their efforts offer invaluable support, helping us evolve our products and better protect our customers. We are immensely grateful for their contributions.
Our top performers at H1-4420 for bounty payouts and other categories include:
First place and the title of Exterminator: cache-money
Second place and the title of Vigilante: f6x
Best collaboration: tomanthony, todayisnew, hx01, and shubs.
We are proud to have had the opportunity to help HackerOne celebrate and champion strategic ethical hacking from these individuals.
Evaluating bugs: assessing vulnerabilities with CVSS and VISS
Hackers participating in H1-4420 underwent an advanced bug evaluation process that utilized both the conventional Common Vulnerability Scoring System (CVSS) approach and Zoom’s new Vulnerability Impact Scoring System (VISS). With VISS, we surpassed surface-level analysis and assessed the demonstrated impact of each bug on the Zoom platform.
By incorporating VISS into our bug bounty program, we empower our team to allocate resources efficiently and focus on the most critical vulnerabilities. This proactive approach enhances our overall security posture, helping to ensure a safe and secure environment for our valued customers. Zoom’s commitment to robust security practices and building trust with our customers is exemplified through the introduction of VISS, as we continuously strive to stay ahead in the ongoing pursuit of comprehensive security measures.
Using AI and hunting for Zoom’s Easter eggs
For this year’s event, Zoom also created three “Easter eggs” as additional puzzles for participants to solve. Each of the three puzzles involved breaking different encryption algorithms through different types of exploitation. In one example, a hacker named “rez0” used an AI tool to help generate new word lists to help with their brute force approach to solve the puzzle. We’re continuing to see hackers use AI tools to be even more efficient in their vulnerability detection and exploitation efforts.
Unleashing creativity and fun: activities for hackers
During the event, it wasn’t all just hacking and cybersecurity discussions. We also wanted to create a fun and relaxed atmosphere for our participants. HackerOne set up a custom postcard station where hackers could send postcards back home, providing a delightful break from their work. Additionally, we had a coloring wall where hackers could showcase their creativity and enjoy a moment of artistic expression. We believe that a balanced and enjoyable environment fosters collaboration and sparks new ideas.
Rewarding researchers: Zoom’s Bug Bounty program impact
Last fiscal year, Zoom awarded $3.9 million in bounties to hundreds of researchers, bringing the total amount awarded through our Bug Bounty program to over $7 million since its inception. This investment reflects our dedication to maintaining the highest levels of security and privacy for our customers.
In addition to continually evolving our Bug Bounty Program, events like H1-4420 serve as a reminder of the power of collaboration and the collective efforts needed to help stay ahead in the cybersecurity landscape. By working hand in hand with ethical hackers from around the globe, we can proactively address vulnerabilities and create a safer environment for our customers.
To learn more about our ethical hacking efforts and Vulnerability Disclosure Policy, please visit our Bug Bounty program page.
Editor’s note: This blog post was edited on July 31, 2023 to include the most up to date information on our bug bounty program.
- Security & Privacy