Zoom shares 90-days progress report, promises its first transparency report later this year
The Zoom CEO said that the company had developed a Central Bug Repository that takes vulnerability reports from HackerOne, Bugcrowd, and email@example.com.
Zoom back in April put a 90-day feature freeze on the development of new features after a massive surge in its user base owing to the lockdown revealed several security and privacy issues with the platform. Now, as the 90-day feature freeze ends, the video-conferencing has shared a status report pertaining to the steps that the company took to address those issues.
To recall, Zoom, while enacting a 90-day feature freeze, had announced a list of seven steps that the company would be taking to fix flaws in its platform. This included sharing a transparency report and improving its bug-bounty program among other things. Now, Zoom CEO Eric Yuan in a blog post announced that the company would be announcing its first transparency report later this year.
About the Bug Bounty Program, the Zoom CEO said that the company had developed a Central Bug Repository that takes vulnerability reports from HackerOne, Bugcrowd, and firstname.lastname@example.org. The company has hired a Head of Vulnerability and Bug Bounty and several additional appsec engineers to fix flaws in its platform. It's also working with third-party accessors for the same.
Apart from its transparency report and the bug bounty program,Yuan also said that the company had worked with a group of third-party experts including the CISO advisory council, Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology to review and make enhancements to the company's products, practices, and policies. The company has also launched a CISO council comprising 36 CISOs from various industries to discuss various topics such as regional data center selection, encryption, meeting authentication, and features such as Report a User, Passwords, and Waiting Rooms and suggest improvements regarding the same.
Additionally, the company is working with third-party firms such as Trail of Bits, NCC Group, and Bishop Fox to review the entire platform including its APIs and data centres.
On the feature front, the company has rolled out Zoom 5.0 along with a bunch of new security features such as AES 256 GCM encryption, waiting room and limited screen sharing among others. It is now working on adding new security and risk management features on its platform. Lastly, the Zoom CEO said that he would continue to hold the weekly webinars, which started on April 1, until July 15 following which the company would move to hostly monthly webinars.
“This period has brought about meaningful change at our company and made the safety, privacy, and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us...But we cannot and will not stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period – while fruitful – was just a first step,” the Zoom CEO said in a statement.