Yahoo plots bug bounties up to $15,000

Yahoo will reward security researchers who find vulnerabilities in its platforms with payments of between $150 and $15,000 from the end of October under a major overhaul of its bug bounty system.

The amount of the reward will depend on the severity of the reported issue, and will replace what has emerged as an informal reward system that was being administered and paid for by the internal security team themselves (which is known as 'Yahoo Paranoids').

That informal reward system was tested and criticised this week by Swiss penetration testers High-Tech Bridge, who said they had been rewarded for finding cross-site scripting vulnerabilities with a US$12.50 voucher that could be used to buy Yahoo-branded merchandise.

Yahoo Paranoids director Ramses Martinez said in a blog post today that until now, Yahoo had not run a formal reward system for people that dob in vulnerabilities.

He said he personally started buying t-shirts and sending them to researchers "as a personal 'thanks'".

"It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said. "It wasn't about the money, just a personal gesture on my behalf."

Martinez said once researchers had a t-shirt, he switched to sending gift certificates "so they could get another gift of their choice".

He said despite the low-key reward system, vulnerability reports were taken seriously and patched quickly. The Swiss research firm at the centre of what Martinez has dubbed "t-shirt gate" did note that the XSS bugs they found were patched fairly quickly.

Martinez said when news of the informal reward system went public this week, his inbox "was full of angry emails from people inside and outside of Yahoo. How dare I send just a t-shirt to people as a thanks?"

He said a new bug bounty system had been in the works, but this week's issues has seen details fast-tracked.

Apart from financial rewards, Yahoo plans to make reporting of bugs easier and to provide more formal recognition for bug finders — taking up another suggestion made by the Swiss researchers.

Martinez said although the new bug bounty policy wouldn't take effect until the end of this month, it would be backdated to July 1 this year.

He said Yahoo would contact all bug hunters that had reported vulnerabilities since then, including the Swiss researchers, who could expect a financial reward even though they "didn't like my t-shirt".