Zoom To Revamp Bug Bounty Program, Bring In More Security Experts

Zoom
Image: Zoom, ZDNet

Teleconferencing app Zoom announced today plans to revamp its bug bounty program as part of its long-term plan to improve the security of its service.

The company has hired Luta Security, a company specialized in managing sustainable vulnerability disclosure and bug bounty programs.

Luta Security is helmed by cyber-security veteran Katie Moussouris. The Luta Security founder is best known for setting up bug bounty programs for Microsoft, Symantec, and the Pentagon.

Both companies -- Zoom and Luta Security -- made the announcement earlier today.

Zoom previously used to run a bug bounty program on the HackerOne platform.

Luta Security has a free hand to rebuild Zoom's existing program. Moussouris said she's now taking input from the entire cyber-security community on ways to improving Zoom's vulnerability disclosure process.

"Anything from the NDA to the pay to the submission form to the experience working with bug bounty triage vendors who are managing Zoom's private bug bounties are all very much in scope," Moussouris said.

Other big-name hires to follow

Zoom hired Moussouris, a well-known and respected figure in the cyber-security industry, a week after it hired former Facebook CSO Alex Stamos as a security consultant.

In a tweet today, Moussouris hinted that more high-profile names will be joining Zoom in the coming days. The list includes privacy expert Lea Kissner (former Global Lead of Privacy Technology at Google), cryptographer and Johns Hopkins professor Matthew Green, and three well-known security auditing firms -- BishopFox, the NCC Group, and Trail of Bits.

New security features rolling out later this week

The new hires are part of Zoom's efforts to improve the service's security posture.

Due to the coronavirus (COVID-19) pandemic, the app grew from 10 million users in December to more than 200 million users today. Because of its sudden rise in popularity, the app came under scrutiny from cyber-security researchers, privacy experts, and hackers.

Experts found security flaws in the app's code, privacy issues with user data management, issues with the app's custom encryption scheme, and accusations of sending data to Chinese servers where it could be hijacked by Chinese intelligence.

Facing a rising wave of criticism that was threatening to ruin its growing reputation, Zoom CEO Eric Yuan announced on April 1 plans to stop development on all new app features and focus solely on security.

Over the past two weeks, Zoom has patched all known security flaws, has deployed features to secure Zoom meetings against the practice known as Zoom-bombing, and has hired experts to craft a long-term cyber-security strategy.

During its weekly "Ask Eric Anything" webinar last night, the Zoom CEO summarized the company's past efforts and also gave a glimpse of future Zoom security features [see image below].

Zoom security status
Image: Zoom

According to Yuan, future plans include adding an option to let users control the Zoom data centers where their data will be stored and adding an option to report abusive users.

The first feature will help quench fears that Zoom chats and encryption keys might be sent to Chinese servers. The second will help Zoom shut down accounts engaging in Zoom-bombing.

Furthermore, Alex Stamos, speaking in the same webinar, announced plans to move from Zoom's current shoddy app call encryption scheme to a more widely tested and trusted solution.

More specifically, Stamos said Zoom will be moving away from the current 256-AES ECB encryption to a more secure 256-AES GCM encryption, but added that the "long-term focus will involve a totally new cryptographic design that greatly reduces risk to Zoom's system."

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more