Since its inception in 2020, Zoom’s private bug bounty program has awarded $2.4 million in payments and swag to security researchers, recruiting over 800 ethical hackers via the HackerOne platform. In 2021 alone, it paid $1.8 million to researchers for helping to identify and resolve more than 400 security bugs, with its bounties now ranging from $250 up to $50,000.
Zoom’s average initial response time to bug submissions is under four hours with full triage of reports typically taking less than 48 hours, while bounties are typically paid within 14 days of report submission. The videoconferencing platform’s foray into the bug bounty sphere has brought early success, but how does it calculate ROI for such an undertaking, and what lessons can CISOs learn when it comes to selling bug bounty concepts to senior management?