CEO Report: 90 Days Done, What’s Next for Zoom

During the first few months of 2020, the Zoom team worked around the clock to support the tremendous influx of new and different types of users on our platform. The sudden and increased demand on our systems was unlike anything most companies have ever experienced. As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more.


On April 1, 2020, we pledged to make a number of enhancements to address security and privacy. The 90-day program we rolled out that day refocused our company on 7 commitments that embedded security and privacy permanently in Zoom’s DNA. Today I will provide a status update on each of those commitments, as well as share our path forward.


Commitment #1: Enact a feature freeze, effective April 1, and shift all our engineering resources to focus on our biggest trust, safety, and privacy issues.


Status: We enacted a 90-day freeze on all features not related to privacy, safety, or security. With all of our engineering and product resources aimed in this direction, we released over 100 features including the following:


 Zoom 5.0


o AES 256 GCM encryption (available to all users, free and paid)
o UI updates – Security icon, green encryption shield with data center location click through
o Report a User
o Meeting defaults – password, waiting room, and limited screen sharing
o Other features – host disable multiple device login, unmute consent, cloud recording expiration, tighter Zoom Chat controls, and more

 Acquired Keybase and started building end-to-end encryption (for all users, free and paid)


 Offered customized data routing by geography


Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development:


 Design phase: Security requirements, risk assessment, threat modeling
 Build: Secure code guidelines, self-service scanning, CI/CD tools
 Test: Security testing, automated test execution, web testing tools
 Stage: Secure configuration, integrity monitoring, validate requirements
 Production: Monitoring the security of our system, system health, threat landscape


Commitment #2: Conduct a comprehensive review with third-party experts and representative users to understand and ensure the security and privacy of all of our new use cases.


Status: We have worked with a group of third-party experts to review and make enhancements to our products, practices, and policies, including our CISO advisory council, Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology, and other organizations in the privacy, safety, and inclusion spaces. The contributions of everyone on this list have been tremendous and we are so grateful for their help.


Commitment #3: Prepare a transparency report that details information related to requests for data, records, or content.


Status: We have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content. We look forward to providing the fiscal Q2 data in our first report later this year. In the meantime, we have recently created a guide for how we respond to government requests. We also updated our privacy policies, mostly to make them easier to understand, and added a separate California Privacy Rights Statement. You can find these documents on


Commitment #4: Enhance our current bug bounty program.


Status: We have developed a Central Bug Repository and related workflow processes. This repository takes vulnerability reports from HackerOne, Bugcrowd, and [email protected] (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors. We also hired a Head of Vulnerability and Bug Bounty, several additional appsec engineers, and are in the process of hiring more security engineers, all dedicated to addressing vulnerabilities. In the meantime, we’re focused on improving our response times. Overall, our bug bounty process is solid, and will only be stronger as we accomplish our hiring objectives. We are grateful to Luta Security for their help in this process.


Commitment #5: Launch a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.


Status: We launched our CISO council, composed of 36 CISOs from a variety of industries, including SentinelOne, Arizona State University, HSBC, and Sanofi. This council, led by our Deputy CIO Gary Sorrentino, has met four times over the past three months and advised on important matters such as regional data center selection, encryption, meeting authentication, and features such as Report a User, Passwords, and Waiting Rooms. The council has proven to be such a success, we will extend this program with CISO Roundtables — interactive discussions between CISO customers and our security team leaders to understand the measures that Zoom has taken and will take in the future to ensure the security and privacy of our platform. Interested CISOs and CIOs can ask their Zoom Account Executive for more information.


Commitment #6: Engage a series of simultaneous white box penetration tests to further identify and address issues.


Status: Zoom engaged multiple firms – Trail of Bits, NCC Group, and Bishop Fox – to review our entire platform. Their scope of work covered:


 Zoom production environment, both public and co-located data centers:


o Cloud configuration
o External IP space
o Internal production network


 Zoom core web application and Zoom corporate network:


o Internal network
o External perimeter


 Public API for common clients


o Mobile clients
o Desktop clients


Zoom is committed to continuous third-party penetration tests as a foundation of its security program.


Commitment #7: Host a weekly webinar on Wednesdays to provide privacy and security updates to our community.


Status: Including the webinar this week, we have hosted 13 of these webinars total, every Wednesday since April 1. These virtual events featured a number of our executives and consultants who took live questions from the attendees. We also shared a recap and recording of the webinars on our blog every Wednesday. We will continue these webinars, the next on July 15, and then move to a monthly cadence.


Other key updates


We’ve taken some additional noteworthy steps:


 We made several key leadership additions or changes since April 1, including:


o Velchamy Sankarlingham, President of Product and Engineering
o Jason Lee, Chief Information Security Officer
o Damien Hooper-Campbell, Chief Diversity Officer
o Aparna Bawa was named Chief Operating Officer, and now oversees Zoom’s security efforts
o Lynn Haaland, Deputy General Counsel and Chief Compliance and Ethics Officer, also was named Chief Privacy Officer
o H.R. McMaster added to the Zoom Board of Directors
o Josh Kallmer, Global Head of Public Policy and Government Relations
o Ginny Lee, Associate General Counsel, Privacy
o Mara Davis, Associate General Counsel, Compliance & Ethics
o Head of Vulnerability and Bug Bounty, starts 7/13
o Andy Grant, Head of Offensive Security, starts 7/13


 Zoom Phone added to Zoom for Government, which is already authorized under the U.S. Federal Risk and Authorization Management Program (FedRAMP)


 We remain committed to significantly growing our US-based engineering team to support increased usage with new offices based in Phoenix, Arizona and Pittsburgh, Pennsylvania


Where do we go from here


This period has brought about meaningful change at our company and made the safety, privacy, and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us. I am proud of, and humbled by, the role Zoom has played in connecting the world in crisis, and in all that our team has accomplished in the past 90 days to better secure our platform.


But we cannot and will not stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period – while fruitful – was just a first step. Throughout this report I have provided information on new processes and people that will help Zoom on our journey to becoming the most frictionless and secure video communications platform in the world.


Thank you to our users for your support, patience, and trust. Our core value as a company is to care, and we hope we have shown that through our actions over these past 90 days — and will continue to show it through future actions.


Share on facebook
Share on twitter
Share on linkedin
Share on email


What Happens When Metaverse Meets Sports Leagues?

What Happens When Metaverse Meets Sports Leagues?

While many see the metaverse as a place for entertainment and escapism, recent years have seen the rise of sports leagues that exist entirely within it. These leagues have taken advantage of the metaverse’s ability to create realistic and immersive environments to provide their players with a new and unique sports experience.

Are Immersive Art Exhibitions the New Trend

Are Immersive Art Exhibitions the New Trend?

For many, museums and exhibitions are an escape from reality. However, these places have been experiencing an all-time low visitation rate due to Covid-19. Owing to social distancing norms and closures, going to a museum was just not always possible. To address that, museums took to virtual reality (VR).

Top 5 Upcoming IPOs to Watch Out For

Top 5 Upcoming IPOs to Watch Out For

2021 was a good year for IPOs. IPOs in the United States raised US$156 billion, recording an 81 percent increase over the prior year. With such an outburst, tech stocks raised US$69 billion alone significantly. Shares of Bumble, a dating app created for women’s interests, closed up 63.5 percent in their IPO in January 2021.

Tokenization Is a Game-Changer in the Financial World - Here’s How!

Tokenization Is a Game-Changer in the Financial World – Here’s How!

By 2027, businesses and people alike are expected to lose US$40.62 billion in payment fraud. The solution to this problem? Tokenization. It refers to the replacement of sensitive data with unique identifiers that retain the length and format of the original data without having any relationship with it.

4 Successful Indian Mompreneurs You Should Know About

4 Successful Indian Mompreneurs You Should Know About

There is no doubt that motherhood is a challenging job. But some moms out there are taking on an even greater challenge—starting their own businesses. From selling natural and toxin-free products for babies to being the best lipstick brand, these mompreneurs are proving that you can have it all. Read on and get inspired by these moms who have not only overcome challenges but also built successful businesses while raising their kids and family.

Beyond 9 to 5 The Rise of Triple Peak Workdays

Beyond 9 to 5: The Rise of Triple Peak Workdays

None of us would have even dreamt of the life we lived over the past couple of years. We experienced several transitions in doing things; we gained new opportunities and lost many of them. When we talk about work, 6-feet cubicles have been reduced to 15-inch displays as the concept of remote work has become mainstream.