Yahoo boosts bug bounties after $12.50 payout

Yahoo is to start paying at least $150 to security researchers who discover flaws in its websites and services, after being heavily criticised for paying out only $12.50 in store credit for a recently reported vulnerability.

Yahoo boosts bug bounties after $12.50 payout

Earlier this week, security firm High-Tech Bridge complained that it was sent a voucher for Yahoo’s store worth $12.50 for each flaw it reported to the company – a paltry reward compared to the hundreds and thousands offered by Facebook and Google.

Yahoo’s director of security Ramses Martinez admitted he was “the guy who sent the T-shirt”, referring to the company’s previous informal practice of offering a free T-shirt as a gesture of gratitude for bug reports.

“It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money,” he said. “It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a T-shirt from me, so I started buying a gift certificate so they could get another gift of their choice.”

It wasn’t a policy, I just thought it would be nice to do something beyond an email

Martinez also said security researchers might ask for a letter to show their boss or clients – which he wrote himself.

However, even before the High-Tech Bridge complaint, Martinez said Yahoo knew it had to upgrade the way it rewards researchers – and, conveniently, had the new system ready to go as the controversy broke.

“This month the security team was putting the finishing touches on the revised programme. And then yesterday morning ‘T-shirt-gate’ hit,” he said. “My inbox was full of angry email from people inside and out of Yahoo.”

To address the complaints, Yahoo sped up the launch of the programme, which features a new reporting website, faster solutions for vulnerabilities, and better recognition for researchers. That will involve a letter from Yahoo, possible inclusion in a new, public “hall of fame” and bug bounties of between $150 and $15,000 for serious flaws.

Those payments will be backdated to 1 July 2013, so any researchers whose reports qualify will get paid – as well as keeping their T-shirt. “This includes, of course, a cheque for the researchers at High-Tech Bridge who didn’t like my T-shirt,” he added.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos