All the latest UK technology news, reviews and analysis


Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal

03 Oct 2013

Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.

The firm's director of security, Ramses Martinez, announced in a candid post on Yahoo's developer blog that successful bug reports would now warrant a minimum reward of $150 and a potential top payment of $15,000 for the most severe and unique discoveries.

The policy will be backdated to reports submitted after 1 July 2013 and would come into full effect on 31 October. "The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," he said.

Martinez, who claimed he paid for t-shirts for developers out of his own pocket in the past, said a process had already been set in motion before this week's "t-shirt-gate" scandal broke to properly compensate hackers for their finds.

"We recently decided to improve the process of vulnerability reporting. My 'send a t-shirt' idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo.

"How dare I send just a t-shirt to people as a thanks?", he lamented.

Yahoo offers a range of merchandise including this fetching cap for five dollars

Gift vouchers were valid for Yahoo t-shirts, mugs, hats and much more

He added that the reporting process would be streamlined to improve speed and quality and that companies and individuals who submitted reports would get corporate recognition to boost their own reputation, as well as public recognition for the best and most important finds in a "hall of fame".

"We're excited to get this new process going and believe it will improve Yahoo's relationship and effectiveness with the security community," Martinez concluded.

Ilia Kolochenko, chief executive of Switzerland-based High-Tech Bridge which conducted the gift voucher-exposing research, maintained that while he did not do the research for money, he believes Yahoo's change in policy was an important step for its future.

"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.

Kolochenko added that Martinez' policy of buying t-shirts with his own money was "definitely an example of how a CSO [chief security officer] should behave", but said Yahoo was better off sending no reward at all instead of corporate gifts, something he said could be interpreted as "insulting".

Martinez had the last word on the issue, saying that even Kolochenko's firm would get their just reward. "This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my t-shirt," he said.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Michael Passingham
About

Michael Passingham joined V3 as a reporter in June 2013. Prior to working at V3, Michael spent time at computing magazine PC Pro. Michael covers IT skills, social media, tech startups and also produces V3's video content.

View Michael's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
4%
10%
4%
21%
4%
44%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Health Inteligence Analyst

An exciting opportunity has arisen for an experienced...

Lead Developer

Lead Developer Summary Are you an experienced...

Business Analyst

It is a very exciting time at Amnesty International...

Information Security Consultant

Our client, a leading retail company, is looking for...
To send to more than one email address, simply separate each address with a comma.