Yahoo plots bug bounties up to $15,000

Powered by SC Magazine
 

Previous $12.50 rewards were funded from IT security team's pockets.

Yahoo will reward security researchers who find vulnerabilities in its platforms with payments of between $150 and $15,000 from the end of October under a major overhaul of its bug bounty system.

The amount of the reward will depend on the severity of the reported issue, and will replace what has emerged as an informal reward system that was being administered and paid for by the internal security team themselves (which is known as 'Yahoo Paranoids').

That informal reward system was tested and criticised this week by Swiss penetration testers High-Tech Bridge, who said they had been rewarded for finding cross-site scripting vulnerabilities with a US$12.50 voucher that could be used to buy Yahoo-branded merchandise.

Yahoo Paranoids director Ramses Martinez said in a blog post today that until now, Yahoo had not run a formal reward system for people that dob in vulnerabilities.

He said he personally started buying t-shirts and sending them to researchers "as a personal 'thanks'".

"It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said. "It wasn't about the money, just a personal gesture on my behalf."

Martinez said once researchers had a t-shirt, he switched to sending gift certificates "so they could get another gift of their choice".

He said despite the low-key reward system, vulnerability reports were taken seriously and patched quickly. The Swiss research firm at the centre of what Martinez has dubbed "t-shirt gate" did note that the XSS bugs they found were patched fairly quickly.

Martinez said when news of the informal reward system went public this week, his inbox "was full of angry emails from people inside and outside of Yahoo. How dare I send just a t-shirt to people as a thanks?"

He said a new bug bounty system had been in the works, but this week's issues has seen details fast-tracked.

Apart from financial rewards, Yahoo plans to make reporting of bugs easier and to provide more formal recognition for bug finders — taking up another suggestion made by the Swiss researchers.

Martinez said although the new bug bounty policy wouldn't take effect until the end of this month, it would be backdated to July 1 this year.

He said Yahoo would contact all bug hunters that had reported vulnerabilities since then, including the Swiss researchers, who could expect a financial reward even though they "didn't like my t-shirt".

Copyright © iTnews.com.au . All rights reserved.


Yahoo plots bug bounties up to $15,000
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 417

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 196

Vote