Image: Zoom, ZDNet
Teleconferencing app Zoom announced today plans to revamp its bug bounty program as part of its long-term plan to improve the security of its service.
The company has hired Luta Security, a company specialized in managing sustainable vulnerability disclosure and bug bounty programs.
Luta Security is helmed by cyber-security veteran Katie Moussouris. The Luta Security founder is best known for setting up bug bounty programs for Microsoft, Symantec, and the Pentagon.
Both companies — Zoom and Luta Security — made the announcement earlier today.
Zoom previously used to run a bug bounty program on the HackerOne platform.
Luta Security has a free hand to rebuild Zoom’s existing program. Moussouris said she’s now taking input from the entire cyber-security community on ways to improving Zoom’s vulnerability disclosure process.
“Anything from the NDA to the pay to the submission form to the experience working with bug bounty triage vendors who are managing Zoom’s private bug bounties are all very much in scope,” Moussouris said.
Other big-name hires to follow
Zoom hired Moussouris, a well-known and respected figure in the cyber-security industry, a week after it hired former Facebook CSO Alex Stamos as a security consultant.
In a tweet today, Moussouris hinted that more high-profile names will be joining Zoom in the coming days. The list includes privacy expert Lea Kissner (former Global Lead of Privacy Technology at Google), cryptographer and Johns Hopkins professor Matthew Green, and three well-known security auditing firms — BishopFox, the NCC Group, and Trail of Bits.
New security features rolling out later this week
The new hires are part of Zoom’s efforts to improve the service’s security posture.
Due to the coronavirus (COVID-19) pandemic, the app grew from 10 million users in December to more than 200 million users today. Because of its sudden rise in popularity, the app came under scrutiny from cyber-security researchers, privacy experts, and hackers.
Experts found security flaws in the app’s code, privacy issues with user data management, issues with the app’s custom encryption scheme, and accusations of sending data to Chinese servers where it could be hijacked by Chinese intelligence.
Facing a rising wave of criticism that was threatening to ruin its growing reputation, Zoom CEO Eric Yuan announced on April 1 plans to stop development on all new app features and focus solely on security.
Over the past two weeks, Zoom has patched all known security flaws, has deployed features to secure Zoom meetings against the practice known as Zoom-bombing, and has hired experts to craft a long-term cyber-security strategy.
During its weekly “Ask Eric Anything” webinar last night, the Zoom CEO summarized the company’s past efforts and also gave a glimpse of future Zoom security features [see image below].
Image: Zoom
According to Yuan, future plans include adding an option to let users control the Zoom data centers where their data will be stored and adding an option to report abusive users.
The first feature will help quench fears that Zoom chats and encryption keys might be sent to Chinese servers. The second will help Zoom shut down accounts engaging in Zoom-bombing.
Furthermore, Alex Stamos, speaking in the same webinar, announced plans to move from Zoom’s current shoddy app call encryption scheme to a more widely tested and trusted solution.
More specifically, Stamos said Zoom will be moving away from the current 256-AES ECB encryption to a more secure 256-AES GCM encryption, but added that the “long-term focus will involve a totally new cryptographic design that greatly reduces risk to Zoom’s system.”
In @zoom_us’s privacy/security webinar, @alexstamos says “in a matter of weeks” they’ll be upgrading ciphers to AES-256 GCM.
And in the long-term, they’re building an E2E encryption option, have a number of PhD cryptographers working on hard problems. More announcements soon.
— Micah Lee (@micahflee) April 15, 2020