App Vulnerabilities

Goals

To know if Zoom, Google Hangouts, Apple FaceTime, Skype , GoToMeeting, Microsoft Teams, Facebook Messenger (and FB Messenger Kids), WhatsApp, House party, Signal (open source), Discord, Jitsi (open source) , BlueJeans , Doxy.me, and Cisco Webex manage vulnerabilities, that is, whether or not they have a bug bounty program.

Early Findings

ZOOM

  • Zoom has a bug bounty program. On April 1st 2020, it announced that due to the unexpected influx of users it has seen, it would be revamping its bug bounty program.

Google Hangouts/Google Duo

  • For all its products and solutions, including Google Hangouts and Google Duo, Google has a bug bounty program that it calls a "Vulnerability Reward Program."
  • In 2018, Google paid $3.4 million in rewards to over 300 security researchers who discovered bugs on any of its platforms. Google has several other security reward programs. More information on all its security rewards program can be found here.

Apple

  • Apple calls its bug bounty program a security bounty program. Details on the program can be found here.
  • Researchers have reportedly being hesitant to help Apple with its security because the company only offers about $200,000 to security researchers who discover these vulnerabilities; the bugs are often "more valuable to sell elsewhere than to report." In February 2019, Apple compensated a 14 year old teenager who discovered a major security flaw in FaceTime that let people eavesdrop on iPhone users.

Skype

  • Microsoft has a bug bounty program for all its products, including Skype.
  • It rewards security researchers who discover vulnerabilities in any of its programs about $15,000 to $300,000.

SUMMARY

  • Due to time constraints, our initial research only focused on four of the products/companies in the spreadsheet.
  • For the purpose of this request, a bug bounty program is synonymous to a vulnerability reward program or a security reward program.

Proposed next steps:

You need to be the project owner to select a next step.