Security Update and Our Ongoing Efforts
To Our Valued Customers:
Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough — and that’s on us. We take full ownership and we’ve learned a great deal. What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.
We are making a number of changes to ensure that we do better. Here is what we’ve already done and plan to do:
Tuesday, July 9
Zoom issued an update to our Mac app with the following:
Removed the local web server via a prompted update
Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings
Wednesday, July 10
Apple issued an update to ensure that the Zoom web server is removed from Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.
Sunday, July 14
[Section updated 5:45 am PT, 7/15/19]
Zoom’s July 14 update addresses video on by default. This update applies to Zoom apps running on Mac, Windows, Linux, Chrome OS, iOS (pending AppStore approval), and Android.
Zoom has implemented a video preview feature that pops up before any participant joins a meeting where their video will be on. The participant is able to opt to join with video, opt to join without video, or dismiss the prompt to not join the meeting at all. Additionally, the participant may also check a box to always see the video preview when joining a video meeting (this box will be checked by default).
This update is an enhancement to the July 9 version. First-time participants now also see the video preview dialog box.
Improving bug bounty program: Zoom will go live with its public vulnerability disclosure program in the next few weeks, supplementing our existing private bug bounty program. In the meantime, we encourage anyone with security concerns to reach out at support.zoom.us
Our current escalation process clearly wasn’t good enough in this instance. We have taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns
Zoom is a platform built around and for our customers and maintaining your trust is paramount. We hope through these ongoing efforts we will regain and rebuild any lost confidence, and build a stronger service for our customers.
Eric S. Yuan
Zoom Founder and CEO
source : blog.zoom.us