Zoom Private Program
External Program
Submit bugs directly to this organization
Zoom Private Program
External Program
Submit bugs directly to this organization
Welcome to the Zoom Bug Bounty Program!
Zoom’s frictionless collaboration platform brings teams together in a security-focused environment, protected by forward-thinking security teams, defense-in-depth infrastructure, and rapid first responders. Zoom encourages responsible identification, reporting, and disclosure of security vulnerabilities that may be found on our websites, APIs, and applications by the hacking community.
Zoom is committed to working with security researchers to verify and address all impactful security vulnerabilities that are reported to our Bug Bounty Program. If you want to help us make our products safer with the possibility of a reward in the process, you are in the right place!
The decision to grant a reward (bounty or bonus) for a vulnerability report, and the value of a reward (if any), is entirely within Zoom’s discretion. As of 3/20/2023, if a decision is made to grant a reward for a vulnerability report submission the value of that reward will be based on the responsibly demonstrated impact of the exploited vulnerability. As described within this policy Zoom uses the [https://viss.zoom.com](Vulnerability Impact Scoring System (VISS)) to assess the impact of the vulnerability demonstrated by the report submission.
Researchers qualify for bounty award consideration only if they are the first to submit a responsibly disclosed and previously unknown vulnerability, in accordance with this policy. The determination of what order a report was submitted is solely the responsibility of the HackerOne platform, however, vulnerabilities must be relevant, exploitable, demonstrated, and well-documented in the vulnerability report submission. The information in this policy, and this table, are subject to change at any time without notice.
Under the Zoom Private Bug Bounty Program, qualified individuals are encouraged to submit reports that provide detailed explanations and demonstrations of vulnerabilities within the published “in-scope” asset list. In certain circumstances, Zoom may grant monetary rewards to those who submit vulnerability reports. The amount of any monetary award will be based on the impact of the vulnerability as determined by Zoom utilizing the Vulnerability Impact Scoring System (VISS).
We are happy to thank every individual researcher who submits a vulnerability report to help us improve our overall security posture at Zoom. However, only those researchers who meet the following criteria may be eligible to receive a monetary reward (bounty). Some of the requirements to participate in the Zoom Bug Bounty Program include:
You must be a member of the Zoom Private Bug Bounty Program.
You must be the first reporter of a vulnerability associated with an asset marked as “in-scope.”
You must have personally discovered the vulnerability, and you may not report a vulnerability that another person discovered (including, and especially, someone who does not qualify to participate in the Bug Bounty Program).
You must not be employed by Zoom, its subsidiaries, or any related entities, currently or in the last 12 months.
You must comply with all portions of this Policy when discovering the vulnerability, demonstrating the vulnerability, and submitting the vulnerability report.
Zoom or HackerOne is not legally prohibited from rewarding you for any reason.
To receive licensed Zoom testing accounts, first create a free Zoom account at https://zoom.us/signup#/signup using your HackerOne "@wearehackerone” email address. Then send an email to [email protected] with the subject "Zoom Test Account Request”. Include your HackerOne "@wearehackerone” email address in the body of the email.
While Zoom encourages you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited and will result in disqualification from the Bug Bounty Program:
The disclosure of any vulnerabilities, suspected vulnerabilities, or the contents of any submission you make, to any other person, entity, social media service, news reporting service, media, or any other outlet, without explicit pre-authorization from Zoom. We are happy to discuss disclosure with you once a vulnerability has been remediated in all our production environments.
Accessing any private information of anyone other than yourself stored on a Zoom product or service (e.g., credentials, credit card numbers, meeting recordings, meeting transcriptions, operating system credential storage files, personal information, or any other data).
Performing actions that may cause a negative effect on any Zoom infrastructure performance or availability. (e.g., spam, brute force, denial of service).
Conducting any physical attack on Zoom personnel, customers, users, property, or data centers.
Conducting any social engineering attack on any Zoom employee, contractor, customer, or user.
Conducting vulnerability testing of participating services using anything other than test accounts with licenses provided by Zoom.
Exfiltrating data. Please demonstrate only the minimum actions necessary to validate a vulnerability. The Zoom triage team will verify if any further data exfiltration is possible from a reported vulnerability, and the bounty rewarded will take the full extent of the impact into account.
Violating any U.S. or international laws, or breaching any agreements, in order to discover vulnerabilities.
Uploading inappropriate or offensive images, language, or content of any kind.
Arguing with the Zoom Bug Bounty team regarding VISS scores and bounty awards.
Everyone makes mistakes, including HackerOne and Zoom triage teams. If you feel your report was incorrectly reviewed and/or awarded, please make a convincing case in the comments of your report on the HackerOne platform. You can also reach out to the Zoom team directly via Zoom Team Chat. To be invited to Zoom's internal Team Chat server, please email your Zoom user email address to [email protected] and request access.
Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs or those who use such devices, machines, or online services.
We consider Good Faith Security Research to be an authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here.
This means that for Good Faith Security Research conducted with a good faith effort to comply with our program policy and while this program is active, we:
Will not bring legal action against you or report you, including for bypassing technological measures we use to protect the applications in scope; and,
Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.
You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.
Keep in mind that we are not able to authorize security research on third-party infrastructure and a third party is not bound by this safe harbor statement.
While we require researchers to demonstrate the impact of vulnerability exploitation, demonstration MUST be done in a professional, responsible, non-destructive, and non-impactful way. Note that the viewing of Zoom Customer Data is strictly prohibited! Before proceeding to a step in your testing in which you may expose Zoom Customer PII, or cause damage (or potential damage) while testing: STOP, report what you've found, and request additional testing permission. The Zoom Bug Bounty Team will schedule a face-to-face Zoom call with you during which you can demonstrate your PoC and ask further questions. Our triage team will be able to take that next "dangerous step" for you to demonstrate the impact of the bug you are reporting. We will then fairly assess the VISS score, making sure you get the correct score your report has demonstrated.
For reports involving exposure of Zoom employee credentials, OR credentials which grant access to ZoomGov, it is sufficient to ONLY test that they allow login access. NEVER access any actual Zoom internal system to "poke around" looking for evidence with which to justify a higher VISS score. Triage will do this on your behalf, and the VISS score will be updated to reflect impact.
Zoom has partnered with HackerOne to provide our researchers with a new type of report triage service that is customized to the high quality and expectations of Zoom and its bug bounty researchers. The HackerOne triage plus team is committed to treating every researcher with respect and appreciation for their hard work 24/7/365. In return, we ask you to act with gracious professionalism. We want researchers, Triage Plus, and Zoom Bug Bounty team employees to work together as one big team. We are all working toward the same goals.
The HackerOne Triage Plus team, as well as the Zoom Bug Bounty team, is committed to providing the following services to all researchers;
Timely and respectful responses to report submissions, acknowledging the receipt of your vulnerability report.
Our best effort will be made to meet the following response targets for all submitted reports. This does not mean we will always be able to meet these goals:
Our best effort will be made to keep you informed about our progress throughout the process and notify you when the remediation or other action regarding the vulnerability has been fully implemented.
Thank you for helping to keep Zoom Video Communications and our users safe!
Participating in the Bug Bounty Program does not grant you, or any other third party, any rights to any Zoom intellectual property, product, or service. All rights not otherwise granted herein are expressly reserved.
Whether or not we grant you a reward, you hereby assign to Zoom all rights, titles, and interests (including all intellectual property rights), to the contents of all vulnerability reports that you submit to Zoom.
By participating in the Zoom Bug Bounty Program, you represent that you have the right to assign all such rights, titles, and interests to us and that your participation in the Bug Bounty Program and assignment of such rights, titles, and interests will not breach any agreement you may have with a third party (e.g. your employer).
Researchers must provide detailed reports with reproducible steps that demonstrate actual impact. If the report is not detailed enough to reproduce the issue or does not demonstrate actual security or privacy impact, the report will not be eligible for any bounty award.
Researchers must submit one vulnerability per report unless;
When duplicate reports are submitted, Zoom will only accept the first report received that can be fully reproduced. If the HackerOne Triage Plus team puts a report into the “Needs More Info” state, and another report is submitted that is fully reproducible given the information provided, that second report will be determined to be the first reproducible report and hence will be accepted. All other reports concerning the same or similar vulnerability will be closed as duplicates.
Reports that require social engineering (e.g., phishing, vishing, smishing) are prohibited and will not be accepted.
Researchers must make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Researchers must only interact with test accounts they have created or that have been provided by Zoom for testing purposes. DO NOT attack or exploit Zoom customer accounts.
Multiple vulnerabilities caused by one underlying issue will only be awarded one bounty.
By participating in the Bug Bounty Program, researchers agree to be bound by the rules specified within this policy.
These policies will apply to you in addition to, and will not replace, any other terms and conditions that are imposed by HackerOne.
Researchers' participation in the Zoom Bug Bounty Program does not create any employment relationship between you and Zoom. You must not claim to be a Zoom employee or to be in any way affiliated with Zoom, other than to say you are a researcher within the Zoom program hosted by HackerOne.
Researchers must comply with all applicable laws concerning their participation in this program.
Researchers are responsible for any applicable taxes associated with any reward you receive.
Researchers will not use any of Zoom’s trademarks, service marks, or logos, for any purpose.
Zoom may modify this Policy at any time by posting an updated version.
Zoom may terminate or pause this Bug Bounty Program at any time without notice.
Zoom is not able to associate reporters who submit duplicate reports with the original report due to privacy concerns. In these cases, we will provide evidence of the previous submission upon request.
The decision to grant a reward (bounty or bonus) for a vulnerability report, and the value of a reward (if any), is entirely within Zoom’s discretion. If we decide to offer a reward for a vulnerability report, the value of the reward will usually be based on the demonstrated impact and severity of the reported vulnerability.
You will qualify for consideration of a reward only if you are the first person to responsibly disclose an unknown vulnerability to Zoom in accordance with this policy. The determination of whether you are the first person is solely our responsibility.
All vulnerabilities reported must be relevant, exploitable, impactful, and well-documented in the submitted vulnerability report. Zoom will only grant a reward if the vulnerability is demonstrated, impactful, specific, and fixable by Zoom.
As of 3/20/2023, Zoom will no longer accept report submissions concerning Zoom assets or functionality included in Zoom assets that are developed or hosted by third-party vendors, except in such cases where Zoom customer data is exposed. In these cases, the researcher will be awarded a bounty based on the impact of the data exposure. The researcher is required to make reasonable efforts to notify the Third Party involved of their findings.
Please note that Zoom is not able to grant authority or safe harbor to researchers for any security vulnerability testing on third-party software or systems. Researchers must obtain permission to perform such testing from the Third Party prior to the start of any testing involving third-party software or systems.
As of 3/20/2023, all bounties for vulnerability reports received by the Zoom Bug Bounty Program will be determined using the Vulnerability Impact Scoring system (VISS). This scoring system is currently unique to the Zoom Bug Bounty Program. Work is currently underway to socialize and evangelize this system to other organizations through the publishing of a specification and establishment of a Special interest group (SiG). Researchers who are members of the Zoom Private Bug Bounty Program are in a unique position to be among the very first to learn about this system and have an opportunity to provide feedback that may affect the scoring system in the future.
VISS is not a replacement for CVSS, which is a well-established system for assigning severity to a vulnerability given a limited set of metrics. CVSS mostly assesses vulnerabilities from the attacker’s perspective, which is why security researchers in many bug bounty programs are tasked with providing their interpretation of the CVSS score associated with the vulnerability they are reporting. Conversely, VISS provides a way to assess a vulnerability from an impact perspective specific to an organization company, by taking into information only available to the organization.
To be clear, the VISS score will be determined by the Zoom triage teams during the processing of your report. Your report’s score will be shared with you in the most transparent way possible.
Researchers can access the VISS specification and calculator at https://viss.zoom.com/
NOTE CONCERNING ONE VS. MANY IMPACTED USERS OR PLATFORMS: VISS only takes into account the impact of a single exploitation of a vulnerability. In many cases, an exploit chain can be executed in a loop with each execution having additional impact, but VISS does not take that factor into account. VISS is designed in this way to account for vulnerability exploitations that can only affect a single victim per attack, as well as exploitations that impact several victims per single attack.
Here is an example. Take a situation in which VISS is assessing the impact of several different weapons of war. Below are examples of different weapons and how the Impact on enemies would be specified in VISS:
We understand this may cause some confusion at first for some researchers. Please reach out to our team via email at [email protected] with questions.
The following is a breakdown of the three key concepts that form the CIA triad:
Confidentiality is roughly equivalent to privacy. Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts. It is common for data to be categorized according to the amount and type of damage that could be done if it fell into the wrong hands. More or less stringent measures can then be implemented according to those categories.
Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized people (for example, in a breach of confidentiality).
Availability means information should be consistently and readily accessible for authorized parties. This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information.
The following types of issues are specifically excluded from our Bug Bounty Program:
EXAMPLE OF OOS REPORT:
NOTE:
Zoom is fully aware that several cookies are overly scoped and that some subdomains become "dangling." Zoom does not require further evidence at this point to identify these issues. Zoom Engineering is working on a solution. Once a solution is in place, this OOS restriction will be removed.
Zoom will award a bounty for reports that notify us about dangling subdomains. This should not be interpreted in any way to suggest that the above attack chain utilizing a dangling subdomain is somehow still in scope. If this is still unclear to you, please contact Zoom via [email protected] with your questions.
Reports that do not include responsibly demonstrated impact
Reports that require "disabling antivirus"
Reports that require sending a user malware
Reports involving any vulnerability that requires bypassing normally enforced mobile OS controls (e.g., rooted device, adding custom root CA, etc.)
Captcha or ReCaptcha bypasses
Username and/or Email enumeration
Reports involving stale links in end user-controlled content (e.g., blog posts) to external sites that no longer resolve or can be taken over
Reports involving publicly announced zero-day vulnerabilities will be awarded on a case-by-case basis
Vulnerabilities that have had an official patch released for less than one month will be awarded on a case-by-case basis
Bugs in content/services that are not owned/operated by Zoom
Vulnerabilities that have already been addressed in a product update, or are already known to Zoom, regardless of whether the update has been applied to the publicly available research machines
Subdomain takeovers for out-of-scope domains
Self-XSS or XSS bugs that require an unlikely amount of user interaction
Bugs that are categorized as informational
CSRF on forms that are available to anonymous users
Clickjacking and issues that are only exploitable through clickjacking
Descriptive error messages (e.g., stack traces, application or server errors) that have no security implications
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting/banner disclosure on common/public services
Disclosure of known public files or directories (e.g., robots.txt)
Presence of application or web browser “auto-complete” or “save password” functionality
Lack of Secure and HTTPOnly cookie flags
Tabnabbing
Email configuration issues (SPF, DKIM, DMARC)
Forced Login / Logout CSRF
Account lockout by repetitive incorrect password submissions
Password complexity or account recovery policies
HTTPS Mixed Content
Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy
OPTIONS HTTP method enabled
Known SSL issues (e.g. attacks such as BEAST, BREACH, POODLE, TLS Renegotiation) without verification of exploitation
SSL Forward Secrecy or HSTS not enabled
Weak SSL/TLS Cipher Suites
Use of a known-vulnerable library without evidence of exploitability
Attacks requiring physical access to a user’s unlocked device
Reports of spam, phishing, or security best practices
Reflected XSS involving Adobe Flash files (.swf)
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Attacks requiring MITM
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
If you are unsure whether a bug or issue that you discover in a participating service is a non-qualifying vulnerability, please email us at [email protected]
Tip: Check out release notes for the latest release changes. We release several times per year, and new features are added regularly. All the latest releases can be found on our Release Notes page.
Feel free to self-register your account to use for testing here: https://zoom.us/signup
When self-registering Zoom test accounts, please be sure to use your @wearehackerone.com email address.
Account Types:
Basic User (Free)
Professional (Paid)
Business (Paid)
Enterprise (Paid)
Zoom Download Center: https://zoom.us/download
#Zoom Documentation