The firm’s CISO reflects on bug bounty ROI and selling the concept to senior leadership. Credit: WhataWin / Getty Images Since its inception in 2020, Zoom’s private bug bounty program has awarded $2.4 million in payments and swag to security researchers, recruiting over 800 ethical hackers via the HackerOne platform. In 2021 alone, it paid $1.8 million to researchers for helping to identify and resolve more than 400 security bugs, with its bounties now ranging from $250 up to $50,000.Zoom’s average initial response time to bug submissions is under four hours with full triage of reports typically taking less than 48 hours, while bounties are typically paid within 14 days of report submission. The videoconferencing platform’s foray into the bug bounty sphere has brought early success, but how does it calculate ROI for such an undertaking, and what lessons can CISOs learn when it comes to selling bug bounty concepts to senior management?How Zoom developed its bug bounty program in 2021In a review of its bug bounty program, Zoom outlined several key updates it implemented in 2021 to improve the process with particular focus on supporting researchers and attracting new talent. These include the introduction of a “bounty menu,” which provides researchers with specific bounty amounts based on the type of vulnerability found and the demonstrated impact it may have on Zoom’s users and infrastructure.Zoom also enabled a public Vulnerability Disclosure Program (VDP) allowing anyone, not just established security researchers, to submit vulnerability reports. It said that this has streamlined the intake of reports and allows the right teams at Zoom to get involved rapidly, which ultimately leads to faster bug remediations and a more secure product. In October, the firm launched its VIP Bug Bounty program, which is focused on the licensed versions of Zoom solutions and has expanded the scope of security testing. Furthermore, the team focused on decreasing initial response, triage, remediation, and bounty pay out times to achieve the metrics mentioned above along with hosting meet-and-greet meetings with researchers around the world.Zoom CISO Jason Lee tells CSO that these things have been key to the development and success of the program over the last year. “Our team aims to maintain strong communication with researchers, and we strive for prompt response times. We’re also looking to continuously improve the program. For instance, just last year we raised our maximum bug bounty to $50,000 to further incentivize researchers and help match the time and effort they were spending on finding bugs.” Zoom’s bug bounty ROI and selling to senior leadershipWhile a total payout of $2.4 million reflects a significant investment and one that many senior management teams may balk at, Lee says that the ROI for quickly identifying and fixing vulnerabilities far outweighs bounty outlay when taking into consideration the potential costs of even a single data breach. “We measure the Zoom Bug Bounty program not only in terms of the number of bugs we’re able to fix, but also in getting more eyes on reviewing our products,” he adds. “We’re able to tap into more diverse talents and skills sets and gather a greater, outside perspective to look for potential bugs.”This selling point is key for getting senior management on board with bug bounty concepts and is evidence of the long-term security advantages of short-term bounty investment that CISOs should focus on, he says. “Bug bounty plays a role as part of our larger security strategy. It’s a proactive way for us to track down bugs and harden our attack surface. We find a lot of value in identifying possible vulnerabilities before the bad actors, so that we can fix them promptly and keep our users safe. We also feel strongly about rewarding researchers for their hard work and efforts to enhance the security of our platform.” Related content feature What’s a cyber incident response retainer and why do you need one? Whether you need to hire a team to respond to any and all cyberattacks or just some hired guns to boost your capabilities, incident response retainers can ensure you’re covered. By Linda Rosencrance Sep 27, 2023 8 mins Cyberattacks Cyberattacks Cyberattacks brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe