Yahoo! dumps t-shirt bug bounty for $15,000 cheques

Ramses Martinez has received a lot of angry emails since a security researcher complained publicly about receiving a few $12.50 coupons as payment for tipping off Yahoo! to dangerous vulnerabilities.

Many in the industry were angry or perplexed that a company as large as Yahoo! could reward those who quietly report holes in its services so poorly.

But the Yahoo! security director said in a blog the initiative wasn't a formal one, but rather a personal gesture of goodwill. He simply bought coupons, t-shirts or gift certificates as an extra means of thanks on top of email exchanges.

In the wake of the "t-shirt-gate" storm, as Martinez described it, Yahoo! has issued in advance a draft set of standard policies for reporting vulnerabilities, and a formal bug bounty that holds a maximum reward of $15,000 to those reporting the most serious bugs.

The formal bug bounty polciies will be published on 31 October.

Those who reported bugs from 1 July this year would also receive a bounty payment.

"I started sending a t-shirt as a personal 'thanks'. It wasn't a policy, I just thought it would be nice to do something beyond an email," Martinez said.

"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade.

"This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit."

He pointed out that Yahoo! was quick to squash reported bugs, including the email-stealing XSS vulnerabilities which brought the furore to bear. The company he said had a "large, dedicated team" that searched for security flaws and triaged community bug reports.

Casey Ellis, co-founder of managed bug bounty service BugCrowd, said sending t-shirts and the like as payment could seem reasonable but risked trouble down the line.

"A cautionary tale to take away from t-shirt-gate is this that there are a lot of dynamics in play when you kick off a program like this ... and this is why a lot of people reach out to us," Ellis said.

"[Sending a coupon] is reasonable on one hand, but at the end of the day sends a message which is all wrong. I honestly think, especially after reading the blog post, that Yahoo! were trying to do the right thing here -- It's just a lot more complex than people anticipate when they go into it.

He said organisations wanting to run a bug bounty should take time to understand what their testers expect to receive in return for reports.

"There is a strong community of bug bounty hunters who share a consensus of what is reasonable treatment and what isn't ... so people running these programs need to build in overhead to make sure they are looking after the people, not just the bugs they submit."

Ellis said offering a retrospective bounty was both bold and smart because it avoided having bug hunters finding and hoarding vulnerabilities until 31 October.

Martinez wrote that the Yahoo! bug bounty and disclosure policy addressed five areas:

1) Reporting - We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.

2) Issue Validation - Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.

3) Issue Remediation - Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24x7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.

4) Recognition - Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”

5) Reward - Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.

Announcing the service level agreement (point four) before the bug bounty commenced in earnest was a "tremendously ballsy move", Ellis said, because bug hunters paid the details a lot of attention.

Copyright © SC Magazine, Australia