BugHunters — Bug Bounty Platform
    Back to Programs
    Zoom

    Zoom

    Productivity

    Video communications platform providing meetings, webinars, chat, and phone services for enterprise and personal use.

    https://zoom.us

    Max Reward

    $50,000

    Total Paid

    $2,800,000

    Resolved

    289

    Avg Response

    3 days

    In-Scope Assets

    zoom.us

    Web portal, scheduling, and recordings

    Zoom Client

    Desktop and mobile applications

    Zoom API

    REST API and WebSocket events

    Zoom SDK

    Video and meeting SDKs

    Out of Scope

    • Zoom Marketplace third-party apps
    • Phone hardware
    • Zoom IQ AI features

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    ZM-001Meeting takeover via predictable meeting ID generation
    Critical
    Resolved
    		$15,000–$50,0006
    ZM-002Screen share data exfiltration via malicious virtual background
    High
    Open
    		$5,000–$15,0000

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.