In November 2020, the Federal Trade Commission (FTC) announced a settlement with Zoom to reconcile the allegations that the company engaged in misleading practices that undermined the security of its users. According to the FTC’s settlement statement, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.”
The FTC published a description of the consent agreement package in the Federal Register, making the agreement available for public comment over a 30-day period. The comment period concluded on December 14, and now, the Commission will decide whether to make the proposed consent order final.
Before the public comment period ended, Katie Moussouris, Luta Security CEO & Founder, provided commentary on the agreement to help inform the Commission’s decision-making process. Her comments are included below:
“As everyone is aware, Zoom experienced an exponential increase in users during the pandemic, and with its increased popularity, the company also experienced a surge of potential vulnerability reports. Zoom hired my company, Luta Security, to help assess the condition and sustainability of its existing bug bounty and vulnerability disclosure programs as well as the engineering processes required to manage those programs properly.
During our engagement period, Luta Security provided Zoom a vulnerability handling maturity gap analysis, worked with their internal teams to begin implementing changes to improve their operational capacity and process maturity, and provided the company a roadmap to address areas that still needed improvement when our engagement was concluded. While Luta Security was able to help Zoom flatten the curve of its bug cases by 37 percent in less than 10 weeks, targeting and eliminating imminent zero-day risks for those cases, Zoom still needs to move forward with the recommendations we provided to continue improving its vulnerability handling processes. If Zoom follows our guidance, it will not only help the company revamp its vulnerability disclosure and bug bounty programs to be compliant with the relevant ISO standards, but also, overtime, help Zoom decrease the time it takes to fix vulnerabilities, reduce its volume of critical vulnerabilities, and lower its number of zero-day vulnerabilities.
To that end, as the FTC continues to monitor Zoom’s progress, it’s important that the Commission is made aware of friction introduced via a common practice by bug bounty platforms that may hurt companies’ ability to receive external reports from security researchers. All commercial bug bounty platform companies require security researchers to accept Non-Disclosure Agreements (NDAs) as part of their standard Terms of Use if they want to report vulnerabilities through their platforms. These terms are often seen as unreasonable by researchers, given that the platforms can use NDAs to force the researcher’s silence. This can be a serious problem for several reasons, including if a vendor decides to ignore or significantly delay patching a critical bug without providing mitigations for its customers or users. This was the case in the Zoom vulnerability found by Jonathan Leitschuh in the summer of 2019, which took longer than 90 days to fix. Bug bounty platforms also enforce non-disclosure even after vulnerabilities are addressed, limiting the public’s knowledge about vulnerabilities in products and services, clouding consumer choices on how best to protect themselves.
Another source of friction in the vulnerability disclosure process introduced by commercial bug bounty platforms is the lack of breadth in routing and escalating security incidents and breaches reported through the platform. Often the only point of contact offered to the public for security matters, the bug bounty platforms often receive non-bug security reports that are still serious security issues that must be addressed quickly, such as breach reports. Several data breaches of other organizations such as Capital One were initially reported to a bug bounty platform, whose triage personnel closed the breach reports as out of scope with no investigation or routing of the breach to internal security responders, causing a material delay in protecting users. The reporters of these breaches was also threatened to be removed by the bug bounty platform triage personnel for violation of the Terms of Use in the NDA when the breach reporter said they would go to the breached organizations directly. Commercial bug bounty platforms in place at Zoom and other organizations create friction that often fails to achieve the objective of responsive vulnerability disclosure and handling processes.
Additionally, bug bounty platform companies do not have the capability to consistently handle multiparty or supply chain vulnerability coordination, such as to different resellers that include Zoom’s software in their product ecosystem. Therefore, organizations like Zoom still have to address these types of relevant security issues in their supply chain on their own, negatively impacting consumers’ security who are using technology from resellers that have not made the updates available to their end users. To help address multiparty vulnerability coordination, organizations will soon have an open-sourced alternative by using the Software Engineering Institute (SEI) CERT Coordination Center’s new web-based platform for software vulnerability reporting and coordination. This new platform, called the Vulnerability Information and Coordination Environment (VINCE), was developed with multiparty vulnerability coordination in mind. VINCE will help address multiparty vulnerability coordination, as well as providing optional on-premises housing of vulnerability data, which is not a current option offered by commercial bug bounty platforms, that are all single-point-of-failure SAAS platforms. Zoom and other organizations should be migrating their policies, processes, and ticketing systems to those that do not introduce friction to vulnerability disclosure, provides options for on-premises housing of sensitive bug data, and ensures better supply chain vulnerability coordination, for increased protection for consumers.
No company can bug bounty its way to being secure. That’s why Luta Security emphasizes building strong internal engineering processes to reduce the number and severity of vulnerabilities before software is released. We also strongly recommend that companies first ensure they are capable of fixing bugs efficiently when they slip through secure development practices. Real security goes well beyond launching a bug bounty program or jacking up bug bounty prices in a frenzy to create the appearance of diligence. All organizations, including Zoom, must invest internally in people, processes, and tools to truly improve security and protect consumers.”
Comments