Yahoo plots bug bounties up to $15,000

Powered by SC Magazine

Previous $12.50 rewards were funded from IT security team's pockets.

Yahoo will reward security researchers who find vulnerabilities in its platforms with payments of between $150 and $15,000 from the end of October under a major overhaul of its bug bounty system.

The amount of the reward will depend on the severity of the reported issue, and will replace what has emerged as an informal reward system that was being administered and paid for by the internal security team themselves (which is known as 'Yahoo Paranoids').

That informal reward system was tested and criticised this week by Swiss penetration testers High-Tech Bridge, who said they had been rewarded for finding cross-site scripting vulnerabilities with a US$12.50 voucher that could be used to buy Yahoo-branded merchandise.

Yahoo Paranoids director Ramses Martinez said in a blog post today that until now, Yahoo had not run a formal reward system for people that dob in vulnerabilities.

He said he personally started buying t-shirts and sending them to researchers "as a personal 'thanks'".

"It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said. "It wasn't about the money, just a personal gesture on my behalf."

Martinez said once researchers had a t-shirt, he switched to sending gift certificates "so they could get another gift of their choice".

He said despite the low-key reward system, vulnerability reports were taken seriously and patched quickly. The Swiss research firm at the centre of what Martinez has dubbed "t-shirt gate" did note that the XSS bugs they found were patched fairly quickly.

Martinez said when news of the informal reward system went public this week, his inbox "was full of angry emails from people inside and outside of Yahoo. How dare I send just a t-shirt to people as a thanks?"

He said a new bug bounty system had been in the works, but this week's issues has seen details fast-tracked.

Apart from financial rewards, Yahoo plans to make reporting of bugs easier and to provide more formal recognition for bug finders — taking up another suggestion made by the Swiss researchers.

Martinez said although the new bug bounty policy wouldn't take effect until the end of this month, it would be backdated to July 1 this year.

He said Yahoo would contact all bug hunters that had reported vulnerabilities since then, including the Swiss researchers, who could expect a financial reward even though they "didn't like my t-shirt".

Copyright © . All rights reserved.

Yahoo plots bug bounties up to $15,000
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
Five emerging technologies that will transform financial services
[Blog post] Far out ideas that aren't far off.
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx