Yahoo upgrades bug bounty rewards from t-shirts to cash

After CBR contacted Yahoo about criticism from High-Tech Bridge over the internet service’s bug bounty programme, a blog was published in response.

It seems that High-Tech Bridge wasn’t the only company that had an issue with Yahoo’s bounty, as the blog stated that the inbox of Ramses Martinez, director, Yahoo Paranoids, was filled with complaint emails within 36 hours of launching the scheme.

Yahoo had been giving away t-shirts and vouchers for the Yahoo Company Store in response to individuals or firms reporting bugs in their system. High-Tech Bridge received just a $12.50 discount code for the Yahoo store to buy t-shirts, cups, pens and other merchandise. These gifts pale in comparison to the hundreds of dollars that Facebook is offering as rewards on its bug bounty programme.

Ilia Kolochenko, High-Tech Bridge CEO, said: "Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."

Martinez insists that he was sending the t-shirt as a personal thanks. "It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money," he said. "It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.

"We recently decided to improve the process of vulnerability reporting. My "send a t-shirt" idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning "t-shirt-gate" hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?

"So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early," he said.

The new policy will be released October 31, 2013 with intent of improving Yahoo’s relationship and effectiveness with the security community. This will include making reporting easier, improving the speed and quality of issue validation, a clearer process of issue remediation, recognition of issues submitted by contacting them via an email or written letter. The best reported issues will be directly called out from Yahoo’s site as an individual contribution in a "hall of fame."

And finally, Yahoo will ditch the tshirts and reward individuals and firms that identify new, unique and/or high risk issues between $150 – $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.

Martinez added: "If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program. This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt."