top | item 30284061

(no title)

I think this might have been true in the past, but I don't think it is true any longer. Zoom grew at a wild pace during the early days of the pandemic, and with that came security issues. However, they recognised that and invested into security.

I have previously reported bugs to Google, including one where they simply didn't put any auth on an API endpoint for a new feature, allowing access to any account's data. That is a massive oversight, but at Google scale we realise these things happen, and the more important consideration is how companies respond.

Zoom have a private bug bounty program, but I previously disclosed Zoom bugs publicly [1] as I didn't think their bug bounty program was worthwhile engaging with.

However, they overhauled it, and now of the dozens of private programs I am part of, Zoom's is one of the absolute best. The payouts are great, the team actively engages with the researchers, and seem to legitimately care about getting things right.

Are they perfect? Of course not. But I would feel safer on a Zoom call that call with many competitors who simply don't get as much scrutiny.

[1] https://www.tomanthony.co.uk/blog/zoom-security-exploit-crac...

discuss

No comments yet.