Vulnerability Disclosure Policy details

Coordinated Vulnerability Disclosure
Zoom follows the principles of Coordinated Vulnerability Disclosure (CVD) as laid out by The CERT Guide to Coordinated Vulnerability Disclosure. We encourage researchers to disclose newly discovered vulnerabilities in Zoom hardware, software, or services as soon as discovered. We will coordinate with reporters throughout the vulnerability investigation and provide updates on the progress. We aim to be as responsive and transparent as possible throughout the entire process in delivering a remediation for a reported vulnerability.

Safe harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Report through our vulnerability disclosure policy program

To report a security vulnerability in one of Zoom's products or services, please submit a vulnerability report through our VDP program.

Note: the submission form is powered by HackerOne and thus submitters are subject to HackerOne terms and conditions.

Report a vulnerability

Submit your issue via email

If you are unable or unwilling to use our online form you may alternatively submit your issue to security-reports@zoom.us.

Please encrypt all email communications using Zoom PGP public key.

Please provide as much detail as possible about the vulnerability including: name, time of finding, summary of issue, product or system URL, product version reproduced on, vulnerability reproduction steps/POC.

For details on Zoom’s private Bug Bounty Program:

Visit site