Yahoo's new bug bounty policy rewards researchers up to $15K for "high risk" discoveries
Shortly after a security firm called Yahoo out for its vulnerability reporting policy, the company announced significant changes to the way it will handle researchers' bug discoveries.
On Wednesday, Ramses Martinez, director of Yahoo's security team, took to the company's developer blog to clear the air following its recently criticized move: divvying up a $25 store credit to researchers who discovered XSS flaws affecting two Yahoo domains.
Now, the company is previewing an updated bug reporting policy.
In addition to streamlining its bug reporting and remediation process, the company plans to pay those who report “new, unique and/or high risk issues” between $150 to $15,000, Martinez wrote. The company will also introduce a hall of fame for novel discoveries brought to its attention.
Yahoo is still working out the details of its revised policy, but plans to release it by Oct. 31.
Martinez noted that the researchers at Swiss penetration testing firm High-Tech Bridge, who discovered the XSS bugs, would also benefit from the new change – as the policy will be implemented retroactive back to July 1.
In the blog post, Martinez revealed that when he took over the security team, the company “didn't have a formal process to recognize and reward people who sent issues” to Yahoo.
“I started sending a t-shirt as a personal ‘thanks,'” Martinez wrote. “It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf.”
Eventually, Martinez said he began buying gift certificates and writing letters of thanks for researchers' work. According to the security team director, the company was “putting the finishing touches on the revised program” this month, before “t-shirt-gate” happened, he wrote.
In response to the coming policy changes, Ilia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com in a Thursday email that his company wasn't doing its research for the money, but that the improved policy should instill better security at the company – the ultimate goal.
“We were not doing our research for money, as we clearly said to Yahoo while reporting the vulnerabilities,” Kolochenko said. “However, we are glad that Yahoo is now introducing [the] new bug bounty program that will facilitate their relations with security researchers and help them improv[e] their corporate security. That's definitely good news.”