In November 2020, the Federal Trade Commission (FTC) announced a settlement with Zoom to reconcile the allegations that the company engaged in misleading practices that undermined the security of its users. According to the FTC’s settlement statement, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.”
The FTC published a description of the consent agreement package in the Federal Register, making the agreement available for public comment over a 30-day period. The comment period concluded on December 14, and now, the Commission will decide whether to make the proposed consent order final.
Before the public comment period ended, Katie Moussouris, Luta Security CEO & Founder, provided commentary on the agreement to help inform the Commission’s decision-making process. Her comments are included below:
“As everyone is aware, Zoom experienced an exponential increase in users during the pandemic, and with its increased popularity, the company also experienced a surge of potential vulnerability reports. Zoom hired my company, Luta Security, to help assess the condition and sustainability of its existing bug bounty and vulnerability disclosure programs as well as the engineering processes required to manage those programs properly.
During our engagement period, Luta Security provided Zoom a vulnerability handling maturity gap analysis, worked with their internal teams to begin implementing changes to improve their operational capacity and process maturity, and provided the company a roadmap to address areas that still needed improvement when our engagement was concluded. While Luta Security was able to help Zoom flatten the curve of its bug cases by 37 percent in less than 10 weeks, targeting and eliminating imminent zero-day risks for those cases, Zoom still needs to move forward with the recommendations we provided to continue improving its vulnerability handling processes. If Zoom follows our guidance, it will not only help the company revamp its vulnerability disclosure and bug bounty programs to be compliant with the relevant ISO standards, but also, overtime, help Zoom decrease the time it takes to fix vulnerabilities, reduce its volume of critical vulnerabilities, and lower its number of zero-day vulnerabilities.
Additionally, bug bounty platform companies do not have the capability to consistently handle multiparty or supply chain vulnerability coordination, such as to different resellers that include Zoom’s software in their product ecosystem. Therefore, organizations like Zoom still have to address these types of relevant security issues in their supply chain on their own, negatively impacting consumers’ security who are using technology from resellers that have not made the updates available to their end users. To help address multiparty vulnerability coordination, organizations will soon have an open-sourced alternative by using the Software Engineering Institute (SEI) CERT Coordination Center’s new web-based platform for software vulnerability reporting and coordination. This new platform, called the Vulnerability Information and Coordination Environment (VINCE), was developed with multiparty vulnerability coordination in mind. VINCE will help address multiparty vulnerability coordination, as well as providing optional on-premises housing of vulnerability data, which is not a current option offered by commercial bug bounty platforms, that are all single-point-of-failure SAAS platforms. Zoom and other organizations should be migrating their policies, processes, and ticketing systems to those that do not introduce friction to vulnerability disclosure, provides options for on-premises housing of sensitive bug data, and ensures better supply chain vulnerability coordination, for increased protection for consumers.
No company can bug bounty its way to being secure. That’s why Luta Security emphasizes building strong internal engineering processes to reduce the number and severity of vulnerabilities before software is released. We also strongly recommend that companies first ensure they are capable of fixing bugs efficiently when they slip through secure development practices. Real security goes well beyond launching a bug bounty program or jacking up bug bounty prices in a frenzy to create the appearance of diligence. All organizations, including Zoom, must invest internally in people, processes, and tools to truly improve security and protect consumers.”