Turning the Zoom exploit into lemonade

In early March a security researcher discovered a Zero Day security issue with the Zoom software. This particular exploit would allow bad actors to start a Zoom instance and turn on a customer’s camera. This vulnerability appears only to impact Macs. Also, when Zoom software is uninstalled, a program still resides on the computer, leaving the system vulnerable.

To get the down and dirty details, click here to read the full account. The article includes a timeline of communication with Zoom. That timeline is the real story here and offers a glimpse into the processes of Zoom during a stressful time.

Remember, Zoom’s IPO was in late April; right in the middle of this exploit timeline. The company’s first official response was to offer the researcher a “bug bounty” with the understanding he would not discuss his findings, ever. Given the impending stock sale, one could understand that reaction. The security professional declined, and Zoom went back to work fixing the issue. The company eventually fixed the problem, though it was about a week after the public disclosure. Also, Apple released their own fix with an update to the Mac OS.

The Silver Lining

There are a few things to watch, or review, in this story. The first is the caution with which Zoom progressed. According to the article, the company took almost a month to respond. Again, this was while ramping up to an IPO. However, a month to confirm a bug in the software seems to be a bit average. Once verified, Zoom sought to keep the exploit quiet. The need and desire for secrecy is understandable. Given that Zoom’s entire product offering lays on the foundation of the software, the market doesn’t want to see a reactionary response. This was a measured response and one done with purpose.

Talking Zoom Exploit

The second point to watch was Zoom CEO, Eric Yuan’s response. Yuan joined a chat room to discuss the findings with other security researchers. The Zoom CEO found it necessary and proper to address the security issue personally. The company is Yuan’s creation, his baby if you will. Yuan discussing a problem with Zoom would be like Henry Ford sitting down to talk about the Model T. Eric’s willingness proves he is here for the good and bad.

Paying for Bugs

One item that gets lost in this story is the establishment of a “bug bounty” from Zoom. Quickly, a bug bounty is a public policy by a company offering money for security issues found. Before this incident, Zoom appears to have a simple system in place. Since the release of the exploit, the company has set up a formal system to pay researchers for security issues. The official bug bounty is another sign Zoom is maturing and evolving into a mature software company. It’s a good sign for both investors and users.

The bottom line here is that no company is immune from issues in their software. There’s a reason every Tuesday those on PCs have a patch available. The trick is what the company does once a vulnerability has been exposed. Zoom handled the exploit with caution but took it seriously. One could disagree with Zoom’s original explanations of why it was there in the first place. However, I’d argue there shouldn’t be any disagreement with their response. Zoom acknowledged the security flaw and fixed it. That is exactly what we expect from software companies we trust.

Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.

Related content from the Futurum Team:

Zoom Zero Day Vulnerability: A Real Problem For Zoom And Its Users 

Zoom Earnings — Crushing It, But There Are Big Hurdles Ahead 

Zoom IPO — Zoom Zoomed Through It

Author Information

Tim Albright

Timothy Albright is Analyst in Residence at Futurum Research where he covers the Collaboration, Unified Communication and ProAV space. Tim is also the founder of AVNation, an audiovisual industry B2B media firm. Taking the data, ideas, and objectives of clients and industry leaders and turning them into easily digestible content is where Timothy has lived and worked for the last twenty years. His career has lead him into broadcast television and radio, education, programming, digital media production, and has been teaching and producing podcasts since 2006. Over the last ten years, Timothy has been focused on researching where business communication is and where it is going. This includes working with education, healthcare, and Fortune 1000 companies leverage their existing infrastructure to help their employees and customers communicate more effectively and efficiently. In addition to hosting and producing a weekly AV and UC news program, he has contributed to several industry-leading publications. Timothy has lead industry discussions around the globe and is a highly sought-after moderator for his ability to bring the real-world uses into conversations and panel discussions.