Yahoo has doled out more than $1 million in bug bounties in the past couple of years — since it started rewarding hackers who reported security vulnerabilities with money instead of T-shirts.
The payouts aren t the only things that have evolved. So has the company s thinking about what the hackers find. The company s interim chief information security officer, Ramses Martinez, wrote in a blog post Tuesday that the bounty program has become a key component of our application security program.
Martinez said Yahoo has received 10,000 submissions since late 2013, 1,500 of which have resulted in bounty payouts. The company pays anywhere from $50 to $15,000, depending on the type of vulnerability reported, according to its bounty website.
In 2013, Yahoo was shamed into paying white hat hackers with money that could be spent in the real world instead of $12.50 that could only be spent in the company store to buy T-shirts and such. Yahoo made the change after security research firm High-Tech Bridge called the company out on it, although Martinez wrote at the time that the company had already been preparing to roll out the change. And get this: He also said he had paid the T-shirt bounties out of his own pocket. (Yahoo s thinking about bounties really has evolved — and caught up to programs by other tech companies.)
Yahoo isn t the only company that has been criticized for its compensation, or the inadequacy thereof, to bug finders. For example, in 2013, Facebook refused to pay a guy who posted about a vulnerability on CEO Mark Zuckerberg s wall, supposedly because the company didn t like the way he went about reporting it. At the time, Facebook already had a bug bounty program in place, as we wrote about on SiliconBeat.
Yahoo s bug bounty news comes amid lots of other security-related news ahead of a big week for tech security. Annual hacking conference Def Con begins at the end of next week.
HT: Graham Cluley
Photo of Yahoo headquarters by LiPo Ching/Mercury News
