Yahoo has paid more than $1 million to security researchers under its bug bounty program, the company announced in a Tuesday blog post recapping the nearly two year operation.
Calling 2015 a “pivotal year,” the company's interim CEO, Ramses Martinez, wrote that “community engagement is at an all time high” and the team “is able to triage and fix bugs fast than ever.”
Submissions reached the 10,000 mark and approximately 1,500 of those resulted in a reward. Nearly half of submissions are from the top six percent of contributors, the post states, and 87 percent of researchers submit fewer than 10 bugs, or about 34 percent of submissions.
Martinez also pointed out the program's reputation system, which, he wrote, “has made our top vulnerability reporters more meaningful by illustrating not only the number of reports they submit, but the severity value we assigned to each.”