Zoom CEO Eric Yuan has announced to deliver an update on progress as the company takes radical steps to enhance the security of its core product. Yuan pledged a number of enhancements to address security and privacy within Zoom, to be delivered over a 90-day programme.

Its first commitment was the enactment of a feature freeze and a shifting of all Zoom’s engineering and development resources to focus on security and privacy. In the past three months, it has released more than 100 new features, including version 5.0 of Zoom, featuring AES 256 GCM encryption, user interface updates, default passwords and pre-entry waiting rooms, as well as new features to help hosts keep their meetings secure, and keep malicious users at bay.

It has also moved to address its previous flip-flopping on end-to-end encryption, partly through its acquisition of Keybase, and put in place new mechanisms to ensure security and privacy by design in all future development.

Its second commitment, a comprehensive review to ensure security and privacy, has seen the appointment of a group of CISO advisers, third-party experts, power users, and other organisations in the privacy, safety, inclusion and social justice space.

Its third commitment, to prepare transparency report detailing information on requests for data, records or content, has seen significant progress, said Yuan, including the recent creation of a guide on how Zoom responds to government data access requests, and new policies, including those relating to new privacy legislation in California.

Its fourth commitment, to enhance its bug bounty programme, has seen the development of a central bug repository, with input from the likes of HackerOne and Bugcrowd, a review process, and improved communication with security researchers and third-party assessors. Yuan has also hired a head of vulnerability and bug bounty and a number of application security engineers.

Its fifth commitment, the creation of its CISO council, has proved successful, with a number of meetings and discussions having already taken place, incorporating input from more than 30 major organisations, including HSBC and Sanofi. This panel has advised on, among other things, regional datacentre selection, encryption, meeting authentication, and other new features. Going forward, it will run a series of CISO roundtables to keep this dialogue fresh.

Its sixth commitment, to conduct a series of penetration tests, has been achieved with the help of the likes of Trail of Bits, NCC and Bishop Fox, which repeatedly probed and reviewed multiple systems, including Zoom’s production environment, public and colocated datacentres, its core web app and corporate network, and its public API (application programming interface) for mobile and desktop clients.

Its final commitment, to host a weekly Wednesday webinar, has seen 13 meetings take place led by Zoom executives and consultants taking live questions from attendees. These webinars will continue, although they will now shift to monthly, with the next to take place on 15 July.