This might be the best one-sentence summary: “Zoom’s security is at best sloppy, and malicious at worst.”
And their reactions to past security-related issues have a definite “we don’t really care” attitude, though that seems to have improved recently.
And I agree with your point that they are “focused on growth and features over hiring the best security/bughunting staff”. That would actually seem to give further credence to their security being “sloppy at best”.
As to whether or not it’s “not that bad”, I guess that depends on what your needs are and what “not that bad” means. I would argue that most “web companies” *should* be held liable to at least a minimum level of security/privacy regardless of who their intended audience is. But I don’t have any good answers as to what that means.
I guess there’s a difference between “sloppy” and “Zoom is malware”, which is the official position of security twitter and some parts of the media as of today. As bad as they are, I’m afraid none of the examples of bugs in Bruce Schneier’s article look remarkably different than what you can find reading the weekly security reports on hackerone.com.
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html
This might be the best one-sentence summary: “Zoom’s security is at best sloppy, and malicious at worst.”
And their reactions to past security-related issues have a definite “we don’t really care” attitude, though that seems to have improved recently.
And I agree with your point that they are “focused on growth and features over hiring the best security/bughunting staff”. That would actually seem to give further credence to their security being “sloppy at best”.
As to whether or not it’s “not that bad”, I guess that depends on what your needs are and what “not that bad” means. I would argue that most “web companies” *should* be held liable to at least a minimum level of security/privacy regardless of who their intended audience is. But I don’t have any good answers as to what that means.
I guess there’s a difference between “sloppy” and “Zoom is malware”, which is the official position of security twitter and some parts of the media as of today. As bad as they are, I’m afraid none of the examples of bugs in Bruce Schneier’s article look remarkably different than what you can find reading the weekly security reports on hackerone.com.