All the latest UK technology news, reviews and analysis

Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal

03 Oct 2013

Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.

The firm's director of security, Ramses Martinez, announced in a candid post on Yahoo's developer blog that successful bug reports would now warrant a minimum reward of $150 and a potential top payment of $15,000 for the most severe and unique discoveries.

The policy will be backdated to reports submitted after 1 July 2013 and would come into full effect on 31 October. "The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," he said.

Martinez, who claimed he paid for t-shirts for developers out of his own pocket in the past, said a process had already been set in motion before this week's "t-shirt-gate" scandal broke to properly compensate hackers for their finds.

"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo.

"How dare I send just a t-shirt to people as a thanks?", he lamented.

Yahoo offers a range of merchandise including this fetching cap for five dollars

Gift vouchers were valid for Yahoo t-shirts, mugs, hats and much more

He added that the reporting process would be streamlined to improve speed and quality and that companies and individuals who submitted reports would get corporate recognition to boost their own reputation, as well as public recognition for the best and most important finds in a "hall of fame".

"We're excited to get this new process going and believe it will improve Yahoo's relationship and effectiveness with the security community," Martinez concluded.

Ilia Kolochenko, chief executive of Switzerland-based High-Tech Bridge which conducted the gift voucher-exposing research, maintained that while he did not do the research for money, he believes Yahoo's change in policy was an important step for its future.

"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.

Kolochenko added that Martinez' policy of buying t-shirts with his own money was "definitely an example of how a CSO [chief security officer] should behave", but said Yahoo was better off sending no reward at all instead of corporate gifts, something he said could be interpreted as "insulting".

Martinez had the last word on the issue, saying that even Kolochenko's firm would get their just reward. "This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my t-shirt," he said.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Michael Passingham

Michael Passingham joined V3 as a reporter in June 2013. Prior to working at V3, Michael spent time at computing magazine PC Pro. Michael covers IT skills, social media, tech startups and also produces V3's video content.

View Michael's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

IT Infrastructure Support - Edinburgh - Permanent

IT Infrastructure Support Technician , based in Edinburgh...

Endur Business Analyst - Oil and Gas

Oil & Gas Trading House - ETRM Business Analysts...

SharePoint Consultant (*Future Decoded headline sponsor)

SharePoint Consultant (*The coolest Tier 1 MS Gold Partner...

Senior Oracle Finance Consultant

Senior Oracle Finance Consultant required for a large...
To send to more than one email address, simply separate each address with a comma.