- V3 Apps
Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.
The firm's director of security, Ramses Martinez, announced in a candid post on Yahoo's developer blog that successful bug reports would now warrant a minimum reward of $150 and a potential top payment of $15,000 for the most severe and unique discoveries.
The policy will be backdated to reports submitted after 1 July 2013 and would come into full effect on 31 October. "The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," he said.
Martinez, who claimed he paid for t-shirts for developers out of his own pocket in the past, said a process had already been set in motion before this week's "t-shirt-gate" scandal broke to properly compensate hackers for their finds.
"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo.
"How dare I send just a t-shirt to people as a thanks?", he lamented.
Gift vouchers were valid for Yahoo t-shirts, mugs, hats and much more
He added that the reporting process would be streamlined to improve speed and quality and that companies and individuals who submitted reports would get corporate recognition to boost their own reputation, as well as public recognition for the best and most important finds in a "hall of fame".
"We're excited to get this new process going and believe it will improve Yahoo's relationship and effectiveness with the security community," Martinez concluded.
Ilia Kolochenko, chief executive of Switzerland-based High-Tech Bridge which conducted the gift voucher-exposing research, maintained that while he did not do the research for money, he believes Yahoo's change in policy was an important step for its future.
"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.
Kolochenko added that Martinez' policy of buying t-shirts with his own money was "definitely an example of how a CSO [chief security officer] should behave", but said Yahoo was better off sending no reward at all instead of corporate gifts, something he said could be interpreted as "insulting".
Martinez had the last word on the issue, saying that even Kolochenko's firm would get their just reward. "This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my t-shirt," he said.