In order to keep users safe from cyberattackers, cloud communications firm Zoom has paid out over $1.8 million to bounty hunters in 2021. This amount has gone up by a whopping 260 per cent since the company launched this programme.
In 2021, Zoom also recruited over 800 security researchers on the HackerOne platform. Their collective work has resulted in the submission of numerous bug reports, and awards of over $2.4 million in bounty payments, swag, and gifts since the program was introduced.
Last year the company also moved away from a static bounty range based only on the severity of the vulnerability reported, and implemented a “Bounty Menu.” This menu provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure. In January 2021, Zoom raised the top end of the bounty table to $50,000 for a single report and the bottom end to $250.
“While Zoom tests our solutions and infrastructure every day, we know it’s important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances,” said the company in a statement.
Throughout 2021, the Zoom vulnerability management and bug bounty (VMBB) team focused on decreasing initial response, triage, remediation, and bounty payout times. “Our current metrics show that the average initial response time is just under four hours while full triage of an incoming report typically takes less than 48 hours. Bounty payments are discussed and reviewed by the team weekly, which means bounties are usually paid within 14 days of report submission,” said the company.
Bug bounty programmes have been gaining ground among tech companies as security vulnerabilities have been growing. Bug bounty programme by companies allow individuals to report bugs or vulnerabilities in their system, for which individuals get compensated and also receive recognition. Most of the global tech majors despite having huge IT teams and security professionals depend on bug bounty hunters to spot vulnerabilities in their systems. Business Standard