Vulnerability Disclosure Policy

Zoom’s Security Team is committed to protecting our users and their data. We believe the independent security research community is a key contributor to the security of the Internet and welcomes reports of potential security issues.

This policy provides guidelines for security researchers to conduct ethical research and coordinate disclosure of security vulnerabilities to Zoom.

We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us. We encourage security researchers to report potential security vulnerabilities they’ve discovered so we can fix them and keep our users safe.

This program is hosted on HackerOne and is only for the coordinated disclosure of potential software security vulnerabilities.

Program Rules

  • Notify us as soon as you discover a potential security vulnerability.
  • Only use or access accounts and information that belong to you.
  • Do not destroy or modify data that is not yours.
  • Do not degrade the performance of Zoom products and services or our users.
  • Do not perform social engineering, physical, or denial of service attacks on Zoom personnel, locations, or assets.
  • Follow HackerOne’s disclosure guidelines, this Vulnerability Disclosure Policy, and all applicable laws.

Scope

  • This policy applies to Zoom’s products, services, and systems. Always be careful to verify whose assets you are testing while performing research.
  • Please report Keybase issues to their dedicated bug bounty program on HackerOne.
  • Vulnerabilities found in vendor systems fall outside of this policy’s scope and should be reported directly to the vendor via their own disclosure programs.
  • If you aren’t sure if a system is in scope or need help reporting a finding to a vendor, contact us at security@zoom.us. We’re happy to help!

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of Scope Vulnerabilities

  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing.
  • Open redirect - unless an additional security impact can be demonstrated.

How to Report a Vulnerability

We accept and communicate about potential security vulnerability reports on HackerOne.

We will acknowledge receipt of your report within 1 business day.

What we would like to see from you

To help us triage and remediate potential findings, a good vulnerability report should:

  • Describe the vulnerability, precisely where it was discovered, and the real-world impact.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
  • Please include one vulnerability per report (unless in an attack chain).
  • Don’t report automated scanner results without proof of exploitability.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 1 business day, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.

Eligibility

The Zoom Bug Bounty program encourages qualified individuals to submit vulnerability reports that detail identification and exploitation of bugs in certain “in scope” products and services. In certain circumstances, Zoom may grant monetary rewards/bounties to the security researcher who submitted the report. While we appreciate every report received, only those researchers that meet the following criteria may be eligible to receive bounty payments:

  • You must be the first researcher to submit a report concerning a specific vulnerability.
  • You must have identified the vulnerability personally, or while working as a part of a team of researchers who all qualify to participate in the Zoom bug bounty program.
  • You must not be employed by Zoom, its subsidiaries or related entities, currently or within the last 12 months.
  • You must comply with this policy when discovering vulnerabilities and when submitting a vulnerability report.
  • There must be no reason why Zoom would be legally prohibited from rewarding you a bounty.

Other Terms and Conditions

Your participation in the Zoom Bug Bounty program does not create any kind of employment relationship or partnership between you and Zoom. You may not represent yourself as a Zoom employee or someone who is affiliated in any way with Zoom. You must comply with all applicable laws in connection with your participation in this program. You are responsible for any applicable taxes associated with any reward/bounty you receive. Vulnerability reports received prior to the launch of this program are not eligible for rewards and may not be re-submitted for a reward. You may not utilize any Zoom logos, trademarks, or service marks without written authorization from Zoom. Zoom reserves the right to modify this policy at any time, and without prior notification, by posting an updated version of this document. Zoom reserves the right to terminate this program at any time and without prior notice.

Intellectual Property

Participating in the Zoom Bug Bounty program does not grant you, or any other third party, any rights to Zoom intellectual property, product, or service. All rights not otherwise granted within this policy are expressly reserved by Zoom. Regardless if a bounty is awarded for a report submission, you hereby assign to Zoom all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to Zoom for the submissions, and that your participation in the Zoom bug bounty program does not violate any agreement you may have with any other third party, such as your employer.