Yahoo's bug bounty porgram has gone live that will reward security professionals for finding bugs in its applications over yahoo.com, flickr.com and related mobile and client-side apps.
Bug bounty hunters who discover vulnerabilities in anything else related to Yahoo will be recognised in “another way,” according to the official release.
Rewards range from $250 to $15,000 based on the severity of the flaw. In order to qualify, the bug bounty hunter must be the first to report the issue and must give the Yahoo security team enough time to respond to and correct the vulnerability before it is made public.
Flaws that will be considered for monetary rewards include cross-site scripting, SQL injection, open redirect, remote code execution, cross-site request forgery, directory traversal, information disclosure, content spoofing and clickjacking. Yahoo will respond accordingly to other reported vulnerabilities.
The move appears to be in response to an early October media debacle that ensued after a Swiss penetration testing firm was rewarded $25 in Yahoo store credit for alerting the internet corporation of three significant cross-site scripting flaws.
The flaws, which affected the ecom.yahoo.com and adserver.yahoo.com domains, could allow any "@Yahoo.com" email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur.