Yahoo plots bug bounties up to $15,000

Powered by SC Magazine
 

Previous $12.50 rewards were funded from IT security team's pockets.

Yahoo will reward security researchers who find vulnerabilities in its platforms with payments of between $150 and $15,000 from the end of October under a major overhaul of its bug bounty system.

The amount of the reward will depend on the severity of the reported issue, and will replace what has emerged as an informal reward system that was being administered and paid for by the internal security team themselves (which is known as 'Yahoo Paranoids').

That informal reward system was tested and criticised this week by Swiss penetration testers High-Tech Bridge, who said they had been rewarded for finding cross-site scripting vulnerabilities with a US$12.50 voucher that could be used to buy Yahoo-branded merchandise.

Yahoo Paranoids director Ramses Martinez said in a blog post today that until now, Yahoo had not run a formal reward system for people that dob in vulnerabilities.

He said he personally started buying t-shirts and sending them to researchers "as a personal 'thanks'".

"It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said. "It wasn't about the money, just a personal gesture on my behalf."

Martinez said once researchers had a t-shirt, he switched to sending gift certificates "so they could get another gift of their choice".

He said despite the low-key reward system, vulnerability reports were taken seriously and patched quickly. The Swiss research firm at the centre of what Martinez has dubbed "t-shirt gate" did note that the XSS bugs they found were patched fairly quickly.

Martinez said when news of the informal reward system went public this week, his inbox "was full of angry emails from people inside and outside of Yahoo. How dare I send just a t-shirt to people as a thanks?"

He said a new bug bounty system had been in the works, but this week's issues has seen details fast-tracked.

Apart from financial rewards, Yahoo plans to make reporting of bugs easier and to provide more formal recognition for bug finders — taking up another suggestion made by the Swiss researchers.

Martinez said although the new bug bounty policy wouldn't take effect until the end of this month, it would be backdated to July 1 this year.

He said Yahoo would contact all bug hunters that had reported vulnerabilities since then, including the Swiss researchers, who could expect a financial reward even though they "didn't like my t-shirt".

Copyright © iTnews.com.au . All rights reserved.


Yahoo plots bug bounties up to $15,000
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1154

Vote