Yahoo plots bug bounties up to $15,000

Powered by SC Magazine

Previous $12.50 rewards were funded from IT security team's pockets.

Yahoo will reward security researchers who find vulnerabilities in its platforms with payments of between $150 and $15,000 from the end of October under a major overhaul of its bug bounty system.

The amount of the reward will depend on the severity of the reported issue, and will replace what has emerged as an informal reward system that was being administered and paid for by the internal security team themselves (which is known as 'Yahoo Paranoids').

That informal reward system was tested and criticised this week by Swiss penetration testers High-Tech Bridge, who said they had been rewarded for finding cross-site scripting vulnerabilities with a US$12.50 voucher that could be used to buy Yahoo-branded merchandise.

Yahoo Paranoids director Ramses Martinez said in a blog post today that until now, Yahoo had not run a formal reward system for people that dob in vulnerabilities.

He said he personally started buying t-shirts and sending them to researchers "as a personal 'thanks'".

"It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said. "It wasn't about the money, just a personal gesture on my behalf."

Martinez said once researchers had a t-shirt, he switched to sending gift certificates "so they could get another gift of their choice".

He said despite the low-key reward system, vulnerability reports were taken seriously and patched quickly. The Swiss research firm at the centre of what Martinez has dubbed "t-shirt gate" did note that the XSS bugs they found were patched fairly quickly.

Martinez said when news of the informal reward system went public this week, his inbox "was full of angry emails from people inside and outside of Yahoo. How dare I send just a t-shirt to people as a thanks?"

He said a new bug bounty system had been in the works, but this week's issues has seen details fast-tracked.

Apart from financial rewards, Yahoo plans to make reporting of bugs easier and to provide more formal recognition for bug finders — taking up another suggestion made by the Swiss researchers.

Martinez said although the new bug bounty policy wouldn't take effect until the end of this month, it would be backdated to July 1 this year.

He said Yahoo would contact all bug hunters that had reported vulnerabilities since then, including the Swiss researchers, who could expect a financial reward even though they "didn't like my t-shirt".

Copyright © . All rights reserved.

Yahoo plots bug bounties up to $15,000
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
Sign up to receive iTnews email bulletins
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results