As of June 24, 2020, Luta Security has disengaged with Zoom, and we are providing them a transition plan to use moving forward.
Last summer, Luta Security was called in by Zoom Video Communications to assess the functional health and sustainability of their existing bug bounty programs, and the internal engineering processes needed to run it. Vulnerability Coordination Maturity Model baselines and recommendations are one of Luta Security’s core service offerings that we’ve used across large, complex organizations and governments like the UK’s NCSC.
Recent historical circumstances to respond to the pandemic accelerated many organizations’ security efforts, and what had been a quiet engagement with one of our customers took on a new public urgency.
We’ve asked for feedback on Zoom’s existing bug bounty and vulnerability disclosure programs last week. Areas we’re particularly interested in hearing about are if you are a researcher and have tried to (or decided not to) report a security issue to Zoom in the past. Anything from the NDA to the pay to the submission form to the experience working with bug bounty triage vendors who are managing Zoom’s private bug bounties are all very much in scope.
Luta Security will add this important feedback as we work to re-architect Zoom’s bug bounty and vulnerability disclosure programs, and help get Zoom’s overall security house in order.
Please email katie.moussouris at Zoom dot us (katie.moussouris@zoom.us) to share your feedback on how Zoom could help make its bug bounty better. Please continue to submit potential security vulnerabilities to Zoom via zoom.us/security .
No company can bug bounty their way to being secure, and we at Luta Security emphasizes building strong internal engineering to reduce the number and severity of vulnerabilities BEFORE software is released, as well as being capable of fixing bugs efficiently when they slip through secure development practices. We were wrapping up a full internal vulnerability coordination and management maturity assessment against ISO 30111 with Zoom when the pandemic hit.
And that’s where the real change has to happen – internally. One of the five capability areas Luta Security measures is Organizational. This is the executive will to change company culture, which we are all fortunate enough to witness with Zoom in real time. It’s putting effort into investing properly in security and privacy, not just with words, not just by bringing in big names in security, or jacking up bug bounty prices in a frenzy to create the appearance of diligence.
That being said, increased transparency from the many experts who are working together with Zoom to bring the very best security help gives the folks watching this effort a chance to see changes unfold. In cases like Luta Security’s work with Zoom, we now get to ask the public for feedback on Zoom’s bug bounties.
I’m excited to highlight my colleagues who will be adding their voices and expertise in the next few weeks. Stay tuned for more. In addition to welcoming my former @stake colleague Alex Stamos to the extended Zoom security family last week, I’d like to welcome Lea Kissner, Matthew Green, Bishop Fox, NCC Group, and Trail of Bits. Watch for their additions to what I hope will be a longer, constructive conversation about Zoom security.
Zoom was there with all of us in the struggle we’ve all faced over these unprecedented months, personally and professionally, and its ease of use translated to ease of abuse. Finding serious vulnerabilities is one thing, fixing them is another, and preventing the same classes of bugs from happening over time is the deep security engineering commitment we want to see of all organizations, not just because they are under the spotlight.
Let’s get to work.
Comments