Zoom 0-Day: How not to handle a vulnerability report

it surprises all right I'd like to introduce our next speaker Jonathan Lyte you he's speaking on zoom' zero-day how that's handle a vulnerability report welcome John all right so yeah so as I said before my name is come on please now um yeah my name is Jonathan light shoe I'm a software engineer and security researcher at great I currently work as Gradle which is a build tool company used for building java applications around the world so and you can find me on Twitter so I got into software security in this space probably about a year and a half ago where I found a site I kind of realized that the barrier to entry for finding security

vulnerabilities is actually quite a bit lower than I expected and and started finding vulnerabilities and started poking and this ended up being one of my pokes of curiosity so um let's talk about so the agenda for this talk is I'm gonna cover first the like discovery of this vulnerability and the disclosure timeline around this vulnerability and then kind of my disclosure policy and why I have the disclosure policy that I use from there we'll go and talk about the post disclosure timeline like what happened after the vulnerability was disclosed and and an analysis from the perspective of zoom how they handled this wrong so that it ended up kind of blowing up from a media perspective to

look bad upon them and kind of the things that they had to do to roll that back so one of the big questions that I get from people on a regular basis is why were you looking at zoom and the simple answer was I was curious I wasn't really looking for a vulnerability a big thing that for me was I was I was looking sorry so I was curious how you could go from clicking a link like this to having a web page open in your on your browser to going to having a application local machine running like what was that chain of events that allowed that to occur and how are is how is zoom doing this in a

way that was secure and like I mean my initial thought was there might be some communication from your get request in the browser going through to their servers and then bouncing back to your client on your local machine like I was curious how that worked and so right like what is this black magic that's going on behind the scenes that's allowing this behavior to occur because it is so seamless and so many people are using it and we were using it in my company at the time I was working for flexi which at that time had been bought by Hiller Packard enterprise and so yeah so we were using it and so the first thing that I did was I broke open the

chrome chrome developer tools and started seeing this localhost connections why are there localhost connections and you'll notice that there is a connection to something on port 19 421 and I was confused of like okay so there's something running on my local machine and it's talking it's making get requests for images so it seems like wha-why images and so I started to get into the JavaScript source code and you start seeing stuff like this right so log start load load image right and so first off why are they making requests for images second off like instead of making like regular request for like JavaScript second off what is this thing that's on my machine that is like what

is it doing and the other thing that was like kind of weird was there was this block of logic where the response of the image that came back like seemed to be like this in oom and so what I found out was that actually the response that the webserver gave you was a image of a certain pixel dimension and based upon the pixel dimension you would return these error codes right so a six by one image was an invalid or as a fail invalid domain right like one by one image success and so that's how like I was like okay like this is weird like why are they keeping data back over an image like that seems like really weird

and so at this point right so so I had I had been able to figure out that one of the things so one of the things I ended up trying from here was all right I see that this logic exists on their site can I make it say the same with rest the zooms website is making from another page right so I spun up my own website and tried it and lo and behold making the same get request for an image popped my zoom client open but the the component that was missing there right so I was able to from that point I was able to get you from my website which was malicious supposedly right in the

attack scenario into I was able to get you into a video call that your mission or sorry into a call without your permission the component that was missing though was I couldn't get you into a call with your video active because default for zoom calls and you create them is that your video is off right so I'm like okay well I've got part of the something here I've got you into a video call but I don't know if I would necessarily consider that a vulnerability it's like weird behavior probably not excused behavior but I might not consider that a vulnerability right so can we get video well no maybe yeah actually yes you can and so how did

I so I ended up sitting on this one for about a week I had to go on I went on vacation when I came back I noticed that when I was creating a meeting I was using so I I normally did not create meeting myself I either used like the outlook client or something like that but when I used this application to create a meeting I noticed something interesting this little setting for participants where you can set the participants to have their video on by default when they join the call and so if this if the what I found out was that if you as a user had not configured your zoom client prior to

like if you had just left it as the defaults this setting would allow me as the host when I set up the meeting to tell your zoom client oh joy with your video when you when you come to join right so from there I went to private so when I had the first component right just around the video I reached out to them over Twitter because I couldn't find a security placed a report right so one of the things that I'll do is I will try to find a security location to report something if I'll reach out to the company over twitter saying hey where is your security reporting thing and usually you get it contact back

saying here send it to this email no response with Twitter so I finally opened a support ticket and that actually got a response which is good and so I laid out the whole details of the vulnerability like here's the proof concept with like a web website that just joint like it's it's an image the website was a simple image get requests in any document this will join anybody to a web browser or to a to a zoom meeting without the permission and the other component to this is I have a disclosure policy and the disclosure policy that I use is this this responsible responsible exposure follow schools 90-day vulnerability disclosure policy I'm not an employee of Google I

just like their policy that's actually something that I put in every email that I send and then something that I've since added since this zoom component since the zoom vulnerability and more recently is full disclosure will occur either at the end of 90 day deadline or whether whenever a patch made widely available whichever occurs first and so why I guess one of the one of the big questions that we want to ask is why 90 days right 90 days is Google's policy the original I believe the original I had a chat with Katie masterís about this who has been doing vulnerability disclosure for years and she said one of the like original og vulnerabilities closure

deadlines was a week different times also is much part of people to patch things back then because there weren't automated update processes right Google's policy kind of I believe stems from trying to wrap their disclosure timeline around finding vulnerabilities in Microsoft stuff and Microsoft's has a one month release cycle right so they release their updates every one month and so this would this 90 days gives three release cycles for Microsoft and some of these big companies that have some of those have long sort of release cycles to get their fixes into those release cycles in one of those fix systems some companies of 90 days and company said 45 days of disclosures but I do fundamentally believe that

especially when you're shipping software a disclosure deadline is important and it for two components right one component is it gives the company it puts fire under the company to get it fixed because otherwise they can just let it sit right it doesn't become a priority unless there's a time line and the other component is that it's important that these things become public because if they're not public then people don't know that there are vulnerabilities they need to patch right and so I also regularly when I find horner abilities in stuff I make sure that I get a CVE number for the vulnerabilities that I find and so when I send my email to zoom I got a response and they said great

thank you so much here we will invite you to our bug bounty program which they did which was on it was it was a it was a bug grant program they invited me to the program and I started reading through the rules and and the the rules of their disclosure and this is this is what I found please note this program does not allow disclosure you may not release information about vulnerabilities found in program to the public and also their payouts were low it would have been between given what was what I'd found they were I think the payout they were looking at was between three hundred eight hundred dollars and so I my response was I can't in good

conscience participate in your blog on a program given the terms of your polity your program and so I said I will I'm not going to disclose to through your blog Bennett program I'm going to instead choose to continue to use email and there okay fine sure all right so that's the that's the channel that we continue to move through up move through so after I disclosed this I started poking around a little more and I found some more things that were kind of interesting so ID compiled the Xoom client so here's the interesting thing I ended up looking for so remember that like that port I remember I don't remember the number nineteen something I

ended up looking to see okay where is the process that was launched on what what process was bound to that port right I found that this there was a zoom application that was not in the zoom app but was installed in your home directory separate from the zoom app right and it had a bit of code like get download URL and I was like this is interesting and that was gated by this logic which yeah right so that's that's why I so it if you look at it it says if r4 is equal to string and then these are the different strings that they had right and so I wasn't quite certain I'm not very good

with decompiled code especially objective-c but it looked like there was some download logic going on where they were allowing downloads from one of these domains and I didn't have an answer as to what was going on but I did check out zoom gov comm and the doughnut DNS record for that had been it was about to expire in about four days so I well ok four days there's another component here I'll get there so I also disclosed this to the the chromium project and the Mozilla team and the reason behind that was I was curious I was not accurate in this but I believed that Korres which is cross origin request resource request protections that browsers have in place

to prevent for example prevent you from making a cross origin your website which is like malicious cat videos calm can't make a JavaScript or a JSON post request to a resource like google.com right like so they can't impersonate your account similar protections I believe should be in place around things like localhost like the local IP system and I was like you and browsers like why these systems are not in place and the response was there's there's there's a what's it called an RFC input there's a RFC inflight around fixing this but it's not a bug in the browser so both of them ended up closing it actually but then Mozilla reopened it it wasn't a bug

against Mozilla Firefox they've reopened it as a bug against their internal infrastructure because it was zoom and they were using zoom and so they they ended up inviting me to a video call with zoom to discuss this vulnerability which was the kind of video interaction that I had with zoom about this and in that meeting I brought up the DNS record that was about to expire and I said I don't know what this logic quite does but it looks like there's some download logic in here and that DNS records about to expire if you let expire that might turn in a remote code execution maybe and their response was great we'll get that fixed and it was fixed by the time

that I got home that evening so that DNX DNS record had been refer at refreshed and made made sure they opted again okay so time goes on time goes on at this time I'm actually changing companies and at the end of that we're getting very close to the end of the 90 disclosure windows that I gave them and and I'm telling them guys like you guys don't know fix out like you've had all this time what's going on here and the the it was probably about two weeks before the Anna and I need just close her window where they came to me and said here's our plan for how we're gonna fix this and I ended

up saying well you got a hole here here here and here and we had a discussion and they were not the end vulnerability that I'm finding but there were some minor things with their fix around they were gonna validate based upon the IP address making the request and I was like well if you have somebody else that's on the same NAT is behind the same NAT router as you you both have the same IP address you can still perform the same attack if you're both behind the same that router and they said well that's like I think that the opinion was that's a much lower level attack right and so we get to about four days for the

end of the 90-day exposure window and I'm sending them emails I'm now on boarding with my new company in another country and I'm like look like I'm not gonna have time to actually look at this vulnerability so they did fix it four days before my disclosure they fixed it so my POC no longer worked and I told them I said look if I find a bypass for this fact if you had been willing to work with me before like not four days before the internet explorer window I would in more than happy to have reviewed this fix giving you guys feedback followed up right but you guys pushed it out pushed it out push it out

push it at the end of the nine days if I find a bypass and going public in 24 hours yes so we hit the public disclosure deadline and life get in the way I had just started a new job so I didn't have time to go public the day of I was like flying back from to the US that day and the time that I actually had to sit down and and and like write to begin writing out my write up took me another two weeks and around so I ended up sitting it it ended up being 4th of July weekend more actually had time to sit down and write write up this write up right so I

called that got fixed right that's what I thought and so I was like ok like I'm gonna go write this up and we'll say yes like they did fix it I'm not pleased time but yeah they did fix it and like here's the whole story right so I believe that fundamentally that web server they did leave that web server behind right and and my thought was okay like I don't know enough about this web server and I'm don't have the skills I still know the skills to decompile an application like that and find vulnerabilities in it but it's running on lots of computers somebody else should take a look at this and the only way that I'm gonna be able to get that

is probably by publishing and getting somebody else to follow up on my research hopefully but I found a bypass for their fix I simply loaded their website in an iframe on my site and so I could just have all of their code so what I found was that my logic while it went my original POC well it's just no longer allowed you to join with a video active it's still allowed you to get a video call activated via the get request right so my POC stopped working in the component getting the video active but when I ran their whole site is still rejoin with the video active right just like before and so I just put their code whatever their

codes doing that's right which I don't have to recreate on my site and I hide it so for those are not familiar my frames are way of embedding other websites code in your site this is how all ads are rendered right ads are rendered in iframes to basically keep that code that is untrusted contained it's also a way of pulling off a couple of owner abilities including things like quick jacking so I started doing the minute so I followed up and I said hey zoom I found a bypass and I'm going public in 24 hours I'm writing out my thing and I said I will send I will send you the full write-up a Fargo public and

I they were clearly not thrilled but I mean there was not much they could do about it they did say I mean one of the things I said was well this is different vulnerabilities and I said no I warned you about that web server that web server is probably a security vulnerability and probably not something that I would trust on my computer right like in an arbitrary web server running something and untrust an undocumented I so I did some estimations and on the number of vulnerable Mac's that were possibly vulnerable list so this is only on Mac which not on Windows but zoom as of 2015 had like 40 million users and Mac's right there about 10 percent of

the equals PC market and so they'd had significant growth since 2015 so my estimation was about 4 million Mac's were vulnerable to this vulnerability far went public and what about that don't download logic we were looking at before right remember that I couldn't figure out so what happens if I uninstall zoom in reinstalled itself what now with my reaction so you can't even protect yourself by uninstalling zoom because this is blips the web server is not in if you ever if you guys have a Mac that's that web server is not in the zoom tap file it's in your home directory under a dot Jim US directory which has that web server running right so put that in my write-up so I went

public about this the next morning the I dated s for next three hours which I gave them because they're in California and they wanted to have their team on online or like okay fine sure yes that's fine but public that was the headline that I used I did not know about a remote code execution but I thought there might be one and then I had almost found one but you know and so from here I had a perfect so part of this was I had a proof of concept in in the in the write-up I had I had a link in the write-up that said here if you want to try out this vulnerability there are two

links one was with the just the image which would not join in Viet with your video and the other one was the one here join with your video and split morning like you'll be joined to a video call with your video camera active just ahead job and we ended up with what we called chit the zoom chatroulette yeah 4,000 votes on this tweet I think if she got more tweet more more likes than my own tweet about this vulnerability yeah so this chatroulette when they're running for about three days straight it was interesting yeah the Internet's weird yeah but we also tried to be useful this was one other thing so zoom when it's an unmonitored soom meeting

you have a hard time controlling who's in charge of presenting and you can't take control of the presenter from somebody else so when one of us that we like we're responsible managed to wrest control of the zoom meeting from because I didn't even own the meeting it was actually one of the demo links that they gave me for making sure they're testing our ability was fixed I just used their link because it was longer-lasting than my links I didn't have a count so I use their link that they gave me for this this example and so we put up like a banner like this as a here's how to fix this if you are here because you're

vulnerable right so we were trying to help guide people into fixing this and so we had a whole write-up that was written by a Caron who's a friend of mine that I met since this owner ability as a part of this who like basically brand like the whole like here's how to fix yourself across this so across these three days we had quite a few people join we ended up with about 1,300 people joining this this call if and that's just the people that join while I had was connected because every single time you have somebody join you had your leave it there icon downloaded to your computer so these are all the icons of

people that were actually in the meeting and so what was zooms initial response to this not a vulnerability to quote from them and their initial stance we consist consciously enable the ability to meaning joins initiated from lead an iframe on a webpage yeah right exactly when I asked whether it was a concern that such iframes require no click and this is from BuzzFeed actually they replied no that's not a security concern actually interesting sidenote when I posted my tweet about this vulnerability first news organization reached out to me which was kind of fun was BuzzFeed did not expect they do some really good reporting but I all the news organizations through yet to me first it

was not expecting to be BuzzFeed I didn't actually expect any news agencies to reach out to me but you know even what it is so this is a there's a fundamental problem here right and and the fundamental feature the fundamental security vulnerability that I was that I was exposing to them was their core feature right their core feature was we are one click join you to a meeting and it's that right and I don't have anything against that except for when you can't do that in a way that's secure and the PIA you can't that somebody else can abuse to get you to that meeting right and so I have not seen a video solution as far as I'm aware that allows

that one click that doesn't potentially have some sort of vulnerability in that in that chain right so what about Windows so interestingly enough Windows do not have that wit that little doesn't have the web server right but if you checked this always allow these types of links the in The Associated app this is so this is a protocol handler zoom meeting colon slash slash right you can wet applications on your local computer can register handlers with the operating system for when these URL handlers get triggered to get handled by various snaps including your browser right if you checked always allow these types of links in in the associative app then that you would not get prompted about

joining this call and zoom would just pop open so Windows people were just as vulnerable so back to the zoom chatroulette so yeah so we learned all this we were also telling people right you need to actually go and check these settings we get to date - right so I went public on Monday the 8th the 9th rolls around I'd been up till 5:00 a.m. in the morning that was a student just choice unlike the act but yeah so 5 a.m. in the morning looked for about 3 hours and the next day the video call is still running full ramp we ended up with about hundred people consistently in the call at any one time across those two days at around

2 o'clock 2:00 p.m. Eastern Standard Time CEO zoom actually joins the call which I I had not expected we had somebody actually the night before that was impersonating the CEO of zoom and said that they were on the call with the fake name it was not actually him I asked him afterwards if it was him he said no but the actual CEO of zoom Eric lund joined the call and the he he we ended up having a really interesting dialogue with at this point myself Karan and 160 people in this video call at the same time about this vulnerability and I discussed the vulnerability we discussed some other things we found out for example that all video conferences in

zoom were unencrypted by default I had since after that had a competitor so like a day later had a competitor come to me and say by the way we have a proof of concept that can decrypt any like that we can side-channel decrypt any zoom conference in flight and so that vulnerability we also discussed various other things like the the bug bounty that was the payouts were low and and some other other components and the end result was that zoom ended up they made it they made a step back fo r-the took a step back and said you know what you're right this is a vulnerability we will fix it and they they did end up issuing a Patch

Tuesday night to get rid of that web server the problem with that though is if you enter ever install zoom you would have to update or reinstall zoom term of that web server right so the web server it's like the gift that keeps on giving so yeah so so the things that he ended up agreeing to is part of this meeting right worth it they would remove the daemon they did encrypt the chat by default they'd have a public bug bounty program or at least a public disclosure like a vulnerability disclosure that is public and increasing the bug bounty payouts on their private program yeah so they have since done that and then thankfully Apple gets involved I really

appreciate the Apple engineers for getting involved with this because there was no way that zoom was gonna get rid of that apples that web server because if you would uninstalled zoom it would have lived on forever on a lot of people's computers that becomes more important a little bit so also zoom got a real fix out they now have a dialogue preview window that pops up when you join a video call it says I would like to like I want to join like with my video or with my video off likes and the only downside of this is that checkbox if you've been still disabled but at least that point it's quite a bit more

willing so we're good right yeah so I I'm just something but wait this morning a gift that keeps on giving so risky business I woke up on Wednesday morning and I'm listening to risky business which is really great podcast if you're looking to for an information security podcast that will wake you up and realize oh wow the world's a scary place I recommend risky business they open with ya there's a zoom vulnerability but by the way there's this remote code execution boner really it's really easy to pull off and I'm like well I can't publish how do I not know about this well because I'm you know I'm not that good at decompiling code yeah so

on the 17th week later asset note actually did a write-up of the remote code execution vulnerability and yeah so there is a way demo yeah okay so remember that first bit of logic where I said there was that if check to check if like zoom if you have is equal right so like going way back like is equal some gavage calm right there was this other bit of logic that was in there afterwards you guys bought the security vulnerability here I didn't so don't worry about it um that right there is checking to see if those same domains if it has the suffix of that domain on the URL provided so if you were to supply for

example that as your get request with the domain attacked zoom us it would parse it and it would say yeah that does have the suffix of dot zoom us and you could supply your own file from that domain yeah so I'm yeah I missed that one a little bit but yeah so they went public with that and they have a proof of concept let's see like in yeah so they actually thanks to acid note yeah

yeah there you go and calculator yeah so yeah so there was a remote code execution vulnerability in that I server this is still the gift that just keeps on giving oh come on now there's no white labels are so this apparently very popular in the the car industry where companies will buy other companies cars put their brand on it and resell it apparently zoom was doing this with a couple companies RingCentral yeah there was there was like 13 this I only could find logos for these five but yeah so ringcentral which is really big in the telecom industry Telus meeting BTI BT cloud phone meetings office week HD AT&T biz computing zoom moon which is a Chinese version of zoom

zoom CN EarthLink get like so all these companies were all white labels of zoom software yes earth blink earth link meeting room was that was the yeah and video conferenced elements and accession meeting yeah so all these were also vulnerable to the same wrote quote excuse me vulnerable ad yeah thankfully Apple stepped in again and they've also removed all of these from your computer so the thing that I learned about Apple as part of this is Apple has software that can remove malware from your computer they call it malar removal tool they didn't consider zoom software malware but it was the tool for the job so they used it and I really appreciate that they used it because now everybody the

four million plus people are not vulnerable to remote code execution vulnerabilities if they'd uninstalled these applications and left the web server behind so what about soon now right they now own public vulnerabilities closure system if you go to zoom dot us slash security you'll find out to yield report vulnerabilities publicly they now the staging area for 20 meetings and they are student Li ramping up their security stance I can't really state what I know but I've talked to a lot of people and I know that they are significantly improving their security stance in this space they are doing hiring and they are engaging in conversations with the right people to improve this situation in the future so

there is like a vested interest in trying to prevent this from happening again like they they yes so there there has been learning in this area what about browsers so no no we're good we're good I think we I think we've reached all the drop like this like dropping sort of moments so remember that that that like join like zoom you're the URL protocol handler you'll notice that the checkbox is gone in chrome so yay awesome you now have to always say yes and Firefox okay well come on fire I have to actually need to file I have an open issue with Firefox and I need to follow up with them so yeah so I kind of so just

tomorrow take a little bit of extra time and just talk about like how this went wrong right like couple components here right zoom they they handled this vulnerability in such a way that they they immediately took a vulnerability was public and people could see and they said no this is not a vulnerability and so part of the I think that a fundamental part of this was that the culture at zoom and I think that we can all like everybody in any of our companies can get wrapped up in this idea of what we're selling is like awesome right and like we get to expect behavior that we know about because we have a deep and intimate relationship

with that technology right and for zoom they were all about video conferencing right they they had a culture where the CEO and this is what I've heard was that for at that he would sit in video calls had his desk and just invite people to come join those video calls to talk to him right like that was a fundamental part of their culture was video is an open door to come communicate with people right and when somebody comes in and says your core value add has a fundamental security vulnerability about it that's gonna be really hard for a company to to listen to in here right and so one of the components here was the ability to

kind of take your software and be willing to think about it is no running in this at certain scenarios like people don't expect it to behave like this right that can be really hard but it's a it's it's important when certain vulnerabilities like this come on right the other component is there's this analogy of two batons and when any breach occurs or anything like that there's two batons one is that the this is not really a big issue right and then there's the other side which is yeah this is a big deal right and whichever one you pick up the media is gonna probably pick up the other one right and so there's there's this component to it

where you kind of want to validate how people are gonna feel about this thing because if you don't you're an end up having the public and the media possibly take up that alternative view that you don't want that the component is is making sure that all the information is out there job with its rolling back and being willing to take an analysis of its situation say you know what this was a mistake and we will fix it so yeah so the other component that I don't have don't have slide spoiler is the follow-up that I had with both bugcrowd and after one so after this whole disclosure Pollan after this whole disclosure went through one of the things that you'll notice

throughout bugcrowd sorry and these programs is that a lot of these programs a lot of companies have private programs right they they have companies that have private programs on them and these private programs usually have non-disclosure agreements to them right no Lord much well it's fine I don't need the slides right now in case you don't worry about it thank you so the so hacker TSO hacker wanted in in buck crab both have these these programs but there's no really good way of saying like I have a bug in a company software for example a company that runs there they're bugging a program through hacker one or bugcrowd and and say I would like to disclose

this vulnerability but I don't agree to the terms of the bug bounty program right like I don't fundamentally like the terms that I use don't the terms of the grant program and interesting response that I got from bugcrowd which they have since apologized for was an immediate response of yes like we're really glad that you didn't disclose via their program and and ordering using their bugcrowd using their bug mentor program and then try to hold it for 90 days close your window basically you probably would have been evicted from the platform had you done that and so yes I'm very full that I didn't use cuz I'd like to still be able to use bugcrowd

in the future hacker one took a different approach they actually changed their policy around disclosure and they added some guidance for people that wanted to disclosure owner abilities not that did not perform at the bug bounty program for the company and they said you can disclose it through disclose it through us by our just general reporting and they will guide you to the right way to the right channels right so so there there are you there there are a lot of problems with bug net programs currently where it's hard to hold these companies to disclosure windows because fundamentally when they have these private programs they say no disclosure they're kind of buying your silence and I don't really

do that especially right in the zoom case had I not gone public happily probably wouldn't stepped in and fix this right it wouldn't have in public nobody would have known about this and and who would have come in to get rid of this remote code execution from millions of computers right and so non-disclosure when it comes to big issues like this can be really really detrimental in a long-term and so I think that public disclosure is an important part of this process especially when we have shipped software it's not as necessarily as important when you have a SAS service right that the companies only sip their software for but when you're dealing with the stupid software that's sold like this

there should be CV he's assigned there should be public disclosure of these things and you should have a remediation and you need to also maybe engage with Apple to say hey we need to get rid of this so yeah my new comeback oh please I think that's about it for me my HDMI connection has cut out now let's turn off all right so dude I have second yeah so it's just my thank you slide so you can reach me find me on Twitter at and Sonic yeah yeah okay so you can even find me at J light shoes so my last name which nobody yeah there we go so you can find me on Twitter

I do have demos diems oh I also had a lot of people that have since come to me and say hey I found this X weird thing what do you think and I've been like I will have a look or I have other people that I now know that can help you look at things because there are other people that I realize are out there that can help you figure out the dynamics of the vulnerability and so yeah so are there any questions this time I'm yeah anything yes private I they so the reason I can say they have a private program is cuz they told they they have a public thing that now says they have a

public but ever heard I do not feel comfortable sharing that information because the information that I know is technically I'm in their program and not a lot to talk about so right late yeah so in response though I want to say so I did turn down the initial bug bounty program the CEO of zoom has I've since had a lot of conversations with him he did really appreciate that I went public about that well he's a preacher of the end results right and at the end of this whole thing I did end up with a sizable II larger bug bounty paid out I'm not gonna say how much but it netted me quite a bit more money and my college

loans are quite a chunk off of that which is appreciated so yes

yeah I haven't I don't have a number I yeah right yeah how many zeros right I know no I'd actually I I haven't actually so I'm not willing to disclose their I'm in their bug bounty program if I were to disclose the amount I would be at risk of getting thrown off with bugcrowd in general right and so I don't necessarily I I mean I could probably comfortably leave tsums bug gunner program because I'd probably disclose via their public Channel eat anyways in the future I probably would not use our private bug binary program because their rules are still non-disclosure right in that private program I would not use that right so I don't know that quite

answered your question and as to my selling point I finally believe that user security matters right I also really like telling a story and you know like those two components tied together right like I don't want to be having my silence bought except for if I'm necessarily working for a company right like that I think is understandable when you're like finding vulnerabilities especially when there are vulnerabilities that are important to become public because they impact a much wider just like space you have shipped a piece of software and if you don't go public about it you're not necessarily going to get the response for a fix that you need for that vulnerability that's where is a serious problem so yeah

anybody no I reached out to them I sent them the information this is dynamic they're that I also can't talk about anybody else yeah please also feel free to come up and talk to me afterwards like I'm happy to chat about it I guess afterwards so yeah I appreciate your time I appreciate your humorous laughter the only other thing is you know like the slide carousels were forms like carnivals appreciate them for giving me the nice backgrounds thank you all so much I really appreciate it [Applause]