Yahoo is to start paying at least $150 to security researchers who discover flaws in its websites and services, after being heavily criticised for paying out only $12.50 in store credit for a recently reported vulnerability.
Earlier this week, security firm High-Tech Bridge complained that it was sent a voucher for Yahoo’s store worth $12.50 for each flaw it reported to the company – a paltry reward compared to the hundreds and thousands offered by Facebook and Google.
Yahoo’s director of security Ramses Martinez admitted he was “the guy who sent the T-shirt”, referring to the company’s previous informal practice of offering a free T-shirt as a gesture of gratitude for bug reports.
“It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money,” he said. “It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a T-shirt from me, so I started buying a gift certificate so they could get another gift of their choice.”
It wasn’t a policy, I just thought it would be nice to do something beyond an email
Martinez also said security researchers might ask for a letter to show their boss or clients – which he wrote himself.
However, even before the High-Tech Bridge complaint, Martinez said Yahoo knew it had to upgrade the way it rewards researchers – and, conveniently, had the new system ready to go as the controversy broke.
“This month the security team was putting the finishing touches on the revised programme. And then yesterday morning ‘T-shirt-gate’ hit,” he said. “My inbox was full of angry email from people inside and out of Yahoo.”
To address the complaints, Yahoo sped up the launch of the programme, which features a new reporting website, faster solutions for vulnerabilities, and better recognition for researchers. That will involve a letter from Yahoo, possible inclusion in a new, public “hall of fame” and bug bounties of between $150 and $15,000 for serious flaws.
Those payments will be backdated to 1 July 2013, so any researchers whose reports qualify will get paid – as well as keeping their T-shirt. “This includes, of course, a cheque for the researchers at High-Tech Bridge who didn’t like my T-shirt,” he added.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
