Zoom announced on Wednesday that it has paid out more than $10 million through its bug bounty program since it was launched in 2019.
In 2023 alone, the company awarded a total of roughly $2.4 million for over 1,000 vulnerability reports submitted by more than 200 security researchers.
The total paid out last year is higher than the $1.8 million awarded in 2021, but significantly lower than the $3.9 million paid out in 2022.
Zoom has published security advisories for 58 vulnerabilities with 2023 CVE identifiers, including three critical-severity and approximately two dozen high-severity flaws.
The company recently unveiled an open source Vulnerability Impact Scoring System (VISS) that it has been using within its bug bounty program.
Zoom described VISS as a customizable framework that can help organizations assess and prioritize vulnerabilities based on actual demonstrated exploitation rather than theoretical impact. VISS is meant to complement the widely used Common Vulnerability Scoring System (CVSS).
The system has been used within Zoom’s bug bounty program for more than a year now and at the time of its official unveiling the company said its use had led to an increase in reports describing critical and high-severity vulnerabilities, with researchers investing more time and energy to demonstrate the practicality of their exploits.
Related: Zoom Patches Critical Vulnerability in Windows Applications
Related: Intel, AMD, Zoom, Splunk Release Patch Tuesday Security Advisories
Related: Zoom Expands Privacy Options for European Customers