Zoom headquarters on Almaden Boulevard in San Jose, California. (Coolcaesar via Creative Commons Attribution-Share Alike 4.0 International license)

After a massive boom in use and a rocky start as the COVID-19 pandemic swept the world, Zoom has completed its ambitious 90-day security and privacy plan, most recently adding two-factor authentication (2FA) to its roster of protective measures.

The 2FA, as well as the addition of former Salesforce executive Jason Lee as chief information security officer, seem to be steps by Zoom to respond to criticism piled on the teleconferencing platform for shortcoming that led to “zoom bombing,” zero day vulnerabilities being sold on the market by bug brokers, and other privacy missteps.

As part of its ongoing efforts, the company has built a robust bug bounty program on the Bugcrowd platform. Bugcrowd CEO Ashish Gupta spoke with SC Media about the program and the strides he believes Zoom has made to protect data and privacy.

What does Zoom’s embrace of two-factor authentication mean in the company’s strategy for improving its privacy and data security posture?

Zoom announced enhanced two factor authentication for desktop and mobile, which adds an extra layer of protection and shields personal information.  We are making a lot of advances in the use of cyber technologies in our day-to-day life and Zoom has become a big part of our lives – both personally and professionally. This extra layer of security not only overcomes the strength of your passwords, it’s also easy to implement and adds another layer of security. 2FA gives nefarious actors an additional hurdle before they can access your information or Zoom meeting.  

Bugcrowd runs Zoom’s bug bounty program. How has the company invested in growing that program?

 Zoom is very active with their bug bounty program and has been responsive to researcher and Bugcrowd feedback. They have hired additional experts with vast experience in bug bounty programs to help manage their internal processes and further benefit from the power of the security researchers submitting on their bug bounty program.  

Zoom continues to be a supporter of the crowdsourced approach and of all the researchers who provide such critical feedback. By utilizing researchers to continuously test their platform for vulnerabilities, Zoom reaps the benefits of the ‘human touch’ or ‘human ingenuity.’ This allows Zoom to get more visibility into their attack surface, as the contextual visibility that ethical hackers contribute is vital. We have seen Zoom move to actively address all [vulnerabilities] submitted by Bugcrowd’s researchers.

AI is expected to make a significant difference in managing risk. Does that make the human element less important?

While AI and other security solutions have a role in reducing cyber risk, human ingenuity is also important in achieving an effective security posture. Our white hat hackers can perform vulnerability  testing that can identify vulnerabilities within apps on a continual basis. One of the best ways to beat an attacker is by thinking like one.

At the end of the day, speed can be the enemy of security as everyone wants to get their products to market faster. However, if more companies like Zoom can make security a key part of the software development lifecycle and take the input of the crowd, the benefits can be immense. 

After getting hammered early on Zoom acknowledged concerns and came out with a detailed proactive 90-day security and privacy plan for addressing security and privacy issues. What are the long-term implications on the company’s bug bounty program?

I would reaffirm that Zoom’s efforts to utilize the power of crowdsourced security and the bug bounty program are not a ‘once and done’ deal. Zoom has seen a huge increase in usage, and helped Zoom become more secure. We do this in a number of ways and one very powerful method is that we match the right researchers to the right use case. For instance, Zoom works on multiple end-points with multiple operating systems and browsers, calendars, environments, APIs, etc. Having a team of researchers who collectively understand those environments makes it easier to find security vulnerabilities in any individual area or at handoff points. The benefit of the crowd and our platform is that we create a force-multiplier driven by bringing experts to work together and a platform that provides contextual intelligence that helps find and fix security vulnerabilities faster.

Zoom takes this force multiplier seriously and welcomes researchers to submit vulnerabilities on our platform with the goal to make the Zoom connected world safer. They continue to make SecOps a key part of the DevOps and overall software development lifecycle and benefit from the feedback of our crowd, which helps them deliver even more secure communications to the world.   We see that Zoom is in this for the long run and applaud those efforts.