7 min read
Updated on April 20, 2023
Published on July 01, 2020
During the first few months of 2020, the Zoom team worked around the clock to support the tremendous influx of new and different types of users on our platform. The sudden and increased demand on our systems was unlike anything most companies have ever experienced. As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more.
On April 1, 2020, we pledged to make a number of enhancements to address security and privacy. The 90-day program we rolled out that day refocused our company on 7 commitments that embedded security and privacy permanently in Zoom’s DNA. Today I will provide a status update on each of those commitments, as well as share our path forward.
Commitment #1: Enact a feature freeze, effective April 1, and shift all our engineering resources to focus on our biggest trust, safety, and privacy issues.
Status: We enacted a 90-day freeze on all features not related to privacy, safety, or security. With all of our engineering and product resources aimed in this direction, we released over 100 features including the following:
Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development:
Commitment #2: Conduct a comprehensive review with third-party experts and representative users to understand and ensure the security and privacy of all of our new use cases.
Status: We have worked with a group of third-party experts to review and make enhancements to our products, practices, and policies, including our CISO advisory council, Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology, and other organizations in the privacy, safety, and inclusion spaces. The contributions of everyone on this list have been tremendous and we are so grateful for their help.
Commitment #3: Prepare a transparency report that details information related to requests for data, records, or content.
Status: We have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content. We look forward to providing the fiscal Q2 data in our first report later this year. In the meantime, we have recently created a guide for how we respond to government requests. We also updated our privacy policies, mostly to make them easier to understand, and added a separate California Privacy Rights Statement. You can find these documents on zoom.com/privacy-and-legal.
Commitment #4: Enhance our current bug bounty program.
Status: We have developed a Central Bug Repository and related workflow processes. This repository takes vulnerability reports from HackerOne, Bugcrowd, and security@zoom.us (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors. We also hired a Head of Vulnerability and Bug Bounty, several additional appsec engineers, and are in the process of hiring more security engineers, all dedicated to addressing vulnerabilities. In the meantime, we’re focused on improving our response times. Overall, our bug bounty process is solid, and will only be stronger as we accomplish our hiring objectives. We are grateful to Luta Security for their help in this process.
Commitment #5: Launch a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
Status: We launched our CISO council, composed of 36 CISOs from a variety of industries, including SentinelOne, Arizona State University, HSBC, and Sanofi. This council, led by our Deputy CIO Gary Sorrentino, has met four times over the past three months and advised on important matters such as regional data center selection, encryption, meeting authentication, and features such as Report a User, Passcodes, and Waiting Rooms. The council has proven to be such a success, we will extend this program with CISO Roundtables -- interactive discussions between CISO customers and our security team leaders to understand the measures that Zoom has taken and will take in the future to ensure the security and privacy of our platform. Interested CISOs and CIOs can ask their Zoom Account Executive for more information.
Commitment #6: Engage a series of simultaneous white box penetration tests to further identify and address issues.
Status: Zoom engaged multiple firms - Trail of Bits, NCC Group, and Bishop Fox - to review our entire platform. Their scope of work covered:
Zoom is committed to continuous third-party penetration tests as a foundation of its security program.
Commitment #7: Host a weekly webinar on Wednesdays to provide privacy and security updates to our community.
Status: Including today’s webinar, we have hosted 13 of these webinars total, every Wednesday since April 1. These virtual events featured a number of our executives and consultants who took live questions from the attendees. We also shared a recap and recording of the webinars on our blog every Wednesday. We will continue these webinars, the next on July 15, and then move to a monthly cadence.
Other key updates
We’ve taken some additional noteworthy steps:
Where do we go from here
This period has brought about meaningful change at our company and made the safety, privacy, and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us. I am proud of, and humbled by, the role Zoom has played in connecting the world in crisis, and in all that our team has accomplished in the past 90 days to better secure our platform.
But we cannot and will not stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period – while fruitful – was just a first step. Throughout this report I have provided information on new processes and people that will help Zoom on our journey to becoming the most frictionless and secure video communications platform in the world.
Thank you to our users for your support, patience, and trust. Our core value as a company is to care, and we hope we have shown that through our actions over these past 90 days -- and will continue to show it through future actions.
Download a PDF summary of our key updates
Editor's note: This post was updated Nov. 6, 2020, to clarify language around customizing your data routing settings.
Editor’s note: This blog post was revised on 4/20/2023 to include the most up to date information on our data routing control feature.
6 min read
Zoom Cares helps nonprofits like Ready Set Push provide life-changing programs to people in need. Learn how they impact their communities.
3 min read
In today’s data-driven world, having a local data center in a specific region has become more than just a technological advantage; it’s a strategic
7 min read
When Kelsie Colley, a people research consultant at Zoom, was job hunting in December 2022, she applied only to remote positions. But she wasn’t just looking for any remote role — she wanted to work for an organization where engagement was measured in more ways than if your...
