Yahoo squished the idea of having an official bug bounty program for years, but now the internet corporation has finally lifted its foot.
The program is only for Yahoo-owned applications, which include yahoo.com, flickr.com and related mobile apps and client-side applications. Bug bounty hunters who discover vulnerabilities in anything else related to Yahoo will be recognized in “another way,” according to the official release.
Rewards range from $250 to $15,000 based on the severity of the flaw. In order to qualify, the bug bounty hunter must be the first to report the issue and must give the Yahoo security team enough time to respond to and correct the vulnerability before it is made public.
Flaws that will be considered for monetary rewards include cross-site scripting, SQL injection, open redirect, remote code execution, cross-site request forgery, directory traversal, information disclosure, content spoofing and clickjacking. Yahoo will respond accordingly to other reported vulnerabilities.
The move appears to be in response to an early October media debacle that ensued after a Swiss penetration testing firm was rewarded $25 in Yahoo store credit for alerting the internet corporation of three significant cross-site scripting flaws.
The flaws, which affected the ecom.yahoo.com and adserver.yahoo.com domains, could allow any “@Yahoo.com” email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur.