All the latest UK technology news, reviews and analysis

Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal

03 Oct 2013

Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.

The firm's director of security, Ramses Martinez, announced in a candid post on Yahoo's developer blog that successful bug reports would now warrant a minimum reward of $150 and a potential top payment of $15,000 for the most severe and unique discoveries.

The policy will be backdated to reports submitted after 1 July 2013 and would come into full effect on 31 October. "The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," he said.

Martinez, who claimed he paid for t-shirts for developers out of his own pocket in the past, said a process had already been set in motion before this week's "t-shirt-gate" scandal broke to properly compensate hackers for their finds.

"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo.

"How dare I send just a t-shirt to people as a thanks?", he lamented.

Yahoo offers a range of merchandise including this fetching cap for five dollars

Gift vouchers were valid for Yahoo t-shirts, mugs, hats and much more

He added that the reporting process would be streamlined to improve speed and quality and that companies and individuals who submitted reports would get corporate recognition to boost their own reputation, as well as public recognition for the best and most important finds in a "hall of fame".

"We're excited to get this new process going and believe it will improve Yahoo's relationship and effectiveness with the security community," Martinez concluded.

Ilia Kolochenko, chief executive of Switzerland-based High-Tech Bridge which conducted the gift voucher-exposing research, maintained that while he did not do the research for money, he believes Yahoo's change in policy was an important step for its future.

"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.

Kolochenko added that Martinez' policy of buying t-shirts with his own money was "definitely an example of how a CSO [chief security officer] should behave", but said Yahoo was better off sending no reward at all instead of corporate gifts, something he said could be interpreted as "insulting".

Martinez had the last word on the issue, saying that even Kolochenko's firm would get their just reward. "This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my t-shirt," he said.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Michael Passingham

Michael Passingham joined V3 as a reporter in June 2013. Prior to working at V3, Michael spent time at computing magazine PC Pro. Michael covers IT skills, social media, tech startups and also produces V3's video content.

View Michael's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Web Analyst - Fast Growing Ecommerce - Lancashire - £25k

A fantastic and exciting opportunity currently exists...

Salesforce Business Analyst

I am currently working with a global business in the...

eCommerce Acquisition / Marketing Manager - British Fashion Brand

eCommerce Acquisition / Marketing Manager - Fast Growing...

Salesforce Developer

Role : Salesforce Developer Location : London...
To send to more than one email address, simply separate each address with a comma.