Comment by Kalium
6 years ago
Some kind of NDA terms are not unheard-of. Like a 1-3 month period in which to work on things during which disclosures won't go out.
That said, there's a slight disconnect between Zoom's two statements here. The first is that the researcher declined out of concerns over Zoom's NDA. The second is that NDAs are common. What this doesn't say is that Zoom's NDA is cookie-cutter or what the specific terms are.
If I were to guess, Zoom was using some unusual NDA and attempting to buy permanent silence.
Thanks for the explanation. That makes sense and seems pretty reasonable. The company should certainly have the opportunity to fix the vulnerability before it's made public and could be exploited.
> If I were to guess, Zoom was using some unusual NDA and attempting to buy permanent silence.
Considering that Zoom ultimately decided not to correct the issue I suspect you're right.
From the Medium post:
> - Offered and declined a financial bounty for the report due to policy on not being able to publicly disclose even after the vulnerability was patched.
I'd have to guess this as well. I have dealt with a number of public and private bounties, and not one of the researchers has ever rejected an NDA or not allowed us time to remediate before they could disclose this information to 3rd parties. Unless you count Tavis tweeting critical findings I guess.
And to be fair, none of the times I've engaged a private bounty have been due to some massively critical bug that impacted privacy or could hijack parts of client systems. I could see that if the researcher worked with Zoom and didn't feel like they took it seriously they would refuse this and just disclose it due to the impact it has.
The researcher makes it clear that they rejected the NDA because it was a permanent gag on any discussion (even after patching). With that in mind, and this clearly being an intentional design, I can see why it might come off as Zoom not taking the issue seriously.