Bug bounty programs, whether private and available to invitees-only or public, where anyone can submit a vulnerability report, have become a critical method for organizations to improve their security posture.
The industry is beset with talent shortages. Estimates suggest that there will be approximately 3.5 million unfilled job openings by 2025 in the US alone, and until there are more specialists available, companies often can't just rely on in-house security teams, who have more than enough of a workload.
This is where bug bounties come in: external researchers and bug hunters can perform tests on software and services, report any severe security issues, and receive credit and/or financial rewards in return.
The popularity of Zoom's teleconferencing video software exploded overnight due to COVID-19 and lockdowns, with many of us forced to work from home. However, the rapid increase in users also highlighted security problems that had to be addressed quickly. Hence, a bug bounty program was one of the firm's initiatives for improving the situation.
Zoom's main program is private, but the platform actively recruits security researchers. Over 800 researchers participate in the program, which HackerOne hosts.
Over 2021, the software vendor has paid out over $1.8 million across 401 reports. In addition, since the program's launch, over $2.4 million has been awarded.
Recent updates to the program include extending the bug bounty reward range on offer, with up to $50,000 per report for the most severe vulnerabilities and $250 for low-hanging fruit.
The company also launched a public Vulnerability Disclosure Program (VDP) and a VIP bug bounty program for licensed software.
"While Zoom tests our solutions and infrastructure every day, we know it's important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances," Zoom commented.