CEO Report: 90 Days Done, What’s Next for Zoom

During the first few months of 2020, the Zoom team worked around the clock to support the tremendous influx of new and different types of users on our platform. The sudden and increased demand on our systems was unlike anything most companies have ever experienced. As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more.


On April 1, 2020, we pledged to make a number of enhancements to address security and privacy. The 90-day program we rolled out that day refocused our company on 7 commitments that embedded security and privacy permanently in Zoom’s DNA. Today I will provide a status update on each of those commitments, as well as share our path forward.


Commitment #1: Enact a feature freeze, effective April 1, and shift all our engineering resources to focus on our biggest trust, safety, and privacy issues.


Status: We enacted a 90-day freeze on all features not related to privacy, safety, or security. With all of our engineering and product resources aimed in this direction, we released over 100 features including the following:


 Zoom 5.0


o AES 256 GCM encryption (available to all users, free and paid)
o UI updates – Security icon, green encryption shield with data center location click through
o Report a User
o Meeting defaults – password, waiting room, and limited screen sharing
o Other features – host disable multiple device login, unmute consent, cloud recording expiration, tighter Zoom Chat controls, and more

 Acquired Keybase and started building end-to-end encryption (for all users, free and paid)


 Offered customized data routing by geography


Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development:


 Design phase: Security requirements, risk assessment, threat modeling
 Build: Secure code guidelines, self-service scanning, CI/CD tools
 Test: Security testing, automated test execution, web testing tools
 Stage: Secure configuration, integrity monitoring, validate requirements
 Production: Monitoring the security of our system, system health, threat landscape


Commitment #2: Conduct a comprehensive review with third-party experts and representative users to understand and ensure the security and privacy of all of our new use cases.


Status: We have worked with a group of third-party experts to review and make enhancements to our products, practices, and policies, including our CISO advisory council, Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology, and other organizations in the privacy, safety, and inclusion spaces. The contributions of everyone on this list have been tremendous and we are so grateful for their help.


Commitment #3: Prepare a transparency report that details information related to requests for data, records, or content.


Status: We have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content. We look forward to providing the fiscal Q2 data in our first report later this year. In the meantime, we have recently created a guide for how we respond to government requests. We also updated our privacy policies, mostly to make them easier to understand, and added a separate California Privacy Rights Statement. You can find these documents on


Commitment #4: Enhance our current bug bounty program.


Status: We have developed a Central Bug Repository and related workflow processes. This repository takes vulnerability reports from HackerOne, Bugcrowd, and (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors. We also hired a Head of Vulnerability and Bug Bounty, several additional appsec engineers, and are in the process of hiring more security engineers, all dedicated to addressing vulnerabilities. In the meantime, we’re focused on improving our response times. Overall, our bug bounty process is solid, and will only be stronger as we accomplish our hiring objectives. We are grateful to Luta Security for their help in this process.


Commitment #5: Launch a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.


Status: We launched our CISO council, composed of 36 CISOs from a variety of industries, including SentinelOne, Arizona State University, HSBC, and Sanofi. This council, led by our Deputy CIO Gary Sorrentino, has met four times over the past three months and advised on important matters such as regional data center selection, encryption, meeting authentication, and features such as Report a User, Passwords, and Waiting Rooms. The council has proven to be such a success, we will extend this program with CISO Roundtables — interactive discussions between CISO customers and our security team leaders to understand the measures that Zoom has taken and will take in the future to ensure the security and privacy of our platform. Interested CISOs and CIOs can ask their Zoom Account Executive for more information.


Commitment #6: Engage a series of simultaneous white box penetration tests to further identify and address issues.


Status: Zoom engaged multiple firms – Trail of Bits, NCC Group, and Bishop Fox – to review our entire platform. Their scope of work covered:


 Zoom production environment, both public and co-located data centers:


o Cloud configuration
o External IP space
o Internal production network


 Zoom core web application and Zoom corporate network:


o Internal network
o External perimeter


 Public API for common clients


o Mobile clients
o Desktop clients


Zoom is committed to continuous third-party penetration tests as a foundation of its security program.


Commitment #7: Host a weekly webinar on Wednesdays to provide privacy and security updates to our community.


Status: Including the webinar this week, we have hosted 13 of these webinars total, every Wednesday since April 1. These virtual events featured a number of our executives and consultants who took live questions from the attendees. We also shared a recap and recording of the webinars on our blog every Wednesday. We will continue these webinars, the next on July 15, and then move to a monthly cadence.


Other key updates


We’ve taken some additional noteworthy steps:


 We made several key leadership additions or changes since April 1, including:


o Velchamy Sankarlingham, President of Product and Engineering
o Jason Lee, Chief Information Security Officer
o Damien Hooper-Campbell, Chief Diversity Officer
o Aparna Bawa was named Chief Operating Officer, and now oversees Zoom’s security efforts
o Lynn Haaland, Deputy General Counsel and Chief Compliance and Ethics Officer, also was named Chief Privacy Officer
o H.R. McMaster added to the Zoom Board of Directors
o Josh Kallmer, Global Head of Public Policy and Government Relations
o Ginny Lee, Associate General Counsel, Privacy
o Mara Davis, Associate General Counsel, Compliance & Ethics
o Head of Vulnerability and Bug Bounty, starts 7/13
o Andy Grant, Head of Offensive Security, starts 7/13


 Zoom Phone added to Zoom for Government, which is already authorized under the U.S. Federal Risk and Authorization Management Program (FedRAMP)


 We remain committed to significantly growing our US-based engineering team to support increased usage with new offices based in Phoenix, Arizona and Pittsburgh, Pennsylvania


Where do we go from here


This period has brought about meaningful change at our company and made the safety, privacy, and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us. I am proud of, and humbled by, the role Zoom has played in connecting the world in crisis, and in all that our team has accomplished in the past 90 days to better secure our platform.


But we cannot and will not stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period – while fruitful – was just a first step. Throughout this report I have provided information on new processes and people that will help Zoom on our journey to becoming the most frictionless and secure video communications platform in the world.


Thank you to our users for your support, patience, and trust. Our core value as a company is to care, and we hope we have shown that through our actions over these past 90 days — and will continue to show it through future actions.


Share on facebook
Share on twitter
Share on linkedin
Share on email


Looking Back on the Top Skincare Trends of 2022

Looking Back on the Top Skincare Trends of 2022

Going makeup free during the COVID-19 pandemic has whipped up interest in skincare, with people spending more on in-clinic aesthetic treatments and buying more skincare products. As of 2022, revenues in the beauty and personal care industry have reached US$534 billion. Of this, the skincare segment makes up a total revenue of US$153.30 billion, growing at a CAGR rate of 5.19% in the next five years.

Is It Ethical to Be “Overemployed”

Is It Ethical to Be “Overemployed”?

According to the American Bureau of Labor Statistics of August 2022, more than 7.5 million workers in the U.S. are overemployed, that is, they hold more than one job. With the pandemic leading to an increase in remote working and making people concerned about job safety, it doesn’t take a genius to see why people would choose to work multiple jobs.

Kanye West’s Biggest Losses of 2022

Kanye West’s Biggest Losses of 2022

Singer, rapper and chaotic personality Kanye West, a.k.a. Ye, has been all over the news and the place for the past few months. What’s more? Media personality Kim Kardashian is not all that he has lost. The famous rapper has also lost his billionaire status as his over-a-decade-long relationship with Adidas ended following his antisemitic (i.e. against the Jewish community) comments on social media. Now, he is worth US$400 million.

Top 5 Covert Signs of Sexual Harassment

Top 5 Covert Signs of Sexual Harassment

One of the gravest threats to a workplace is sexual harassment. Although commonly believed to be a situation only women go through, sexual harassment can be experienced by a person of any gender or sexual orientation. According to an analysis conducted by Gapjil 119, an organization that assists with workplace abuse, eight out of ten workplace harassment victims end up facing some form of retaliation from the aggressor, like getting turned down for a promotion or threatening their job.

Are You Being Quietly Fired?

Are You Being Quietly Fired?

In a previous article, we discussed how the modern workforce is expressing their discontent with their working conditions by quiet quitting. Quiet quitting means simply doing what is expected from employees instead of being emotionally invested in the jobs and going the extra mile for companies. Now, employers have taken a page from their employees’ books and begun using quiet firing to reduce the number of workers.

3 Inspirational Young Entrepreneurs Making a Difference

3 Inspirational Young Entrepreneurs Making a Difference

Entrepreneurship is not an age-specific venture. From Baby Toon by Cassidy Crowly to Minomynas by Hillary Yip, the rise of youth entrepreneurs has captured the world’s attention, showcasing the talent and creativity of our future leaders. According to a survey, about 60% of teenagers are interested in starting their own business instead of working a traditional job.