Yahoo rushes in reworked security bug bounty programme


Yahoo has announced an overhaul of its security bug bounty programme, after being criticised for rewarding researchers who uncover flaws in its products with discount branded goods.

The internet giant came under fire earlier this week after researchers at IT security services provider High-Tech Bridge claimed they were offered a $12.50 discount code as a reward for uncovering a Cross-Site Scripting XSS flaw in Yahoo Mail.

When I first took over the team that works with the security community on issues and vulnerabilities, we didn't have a formal process to recognise and reward people.

The discount was only redeemable against Yahoo branded products sold by its corporate store.

The policy has enraged the security research community, with many claiming the reward scheme offers little incentive to report bugs.

However, in a blog post, Yahoo said it has been working on a revised rewards programme for some time now, which it has decided in light of this week's reports to introduce slightly earlier than planned.

"We recently decided to improve the process of vulnerability reporting...This month the security team was putting the finishing touches on the revised programme," explained Ramses Martinez, director of Yahoo Paranoids.

"And then yesterday inbox was full of angry email from people inside and out of Yahoo. How dare I send just a T-shirt to people as thanks?

"So, rather than wait any longer, we've decided to preview our new vulnerability reporting policy a bit early."

Under the reworked system, Yahoo will now hand out cash rewards of between $150 and $15,000 for "new, unique and high-risk" issues, with payment size dependent on the severity of the issue.

The company has also vowed to respond, review and fix bugs faster than ever before.

The new policy will come into force on 31 October 2013, but the benefits will be offered to anyone who has reported a bug since 1 July 2013.

"If you submitted something to us and we responded with an acknowledgement (and probably a T-shirt) after July 1, we will reconnect with you about this new program. This includes, of course, a cheque for the researchers at High-Tech Bridge who didn't like my T-shirt," he added.

Martinez also used the post to defend the company's existing rewards programme, explaining the firm started offering T-shirts and company store discount as a personal acknowledgement of the researcher's efforts.

"When I first took over the team that works with the security community on issues and vulnerabilities, we didn't have a formal process to recognise and reward people who sent issues to us," explained Martinez.

"I started sending a t-shirt as a personal thanks'. It wasn't a policy, I just thought it would be nice to do something beyond [sending] an email."

After a while, regular Yahoo bug finders said they had already received T-shirts as a reward for their efforts, so Martinez decided to buy them gift certificates so they could buy another item of their choosing from the company store.

Both the T-shirts and the gift certificates were paid for using Martinez's own money, he claimed, and he also took the time to write letters thanking people for uncovering bugs.

"Most companies offer just a thanks, maybe some schwag, for identifying a potential vulnerability. There are those that offer money," he added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.