Earlier this week, Yahoo was making some headlines for giving security researchers credit for its online corporate store as reward for finding security vulnerabilities in Yahoo products.
Researchers at High-Tech Bridge put out a press release calling attention to this, when they were “awarded” $12.50 in store credit per vulnerability, amounting to enough to get a Yahoo-branded t-shirt or a few pairs of socks featuring Yahoo’s old, outdated logo.
Apparently the attention did some good, as Yahoo is now offering anywhere from $150 to $15,000 for rewards. This was announced in a blog post by Yahoo’s Ramses Martinez, titled, “So I’m the guy who sent the t-shirt out as a thank you.”
He says that when he took over the team that works with the security community on issues and vulnerabilities, they didn’t have a formal process, so he wanted to give people t-shirts just to say “thank you,” thinking this would be more courteous than just an email.
“I even bought the shirts with my own money,” he writes. “It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.”
He goes on to say that Yahoo was actually putting a new program into place, which would reward researchers for finding vulnerabilities, and that they were just “putting the finishing touches on the revised program, and then…’t-shirt-gate’ hit.”
You can see his general outline of the program in the post, but essentially, the company will pay out cash rewards in the range mentioned above with the amount being determined by a “clear system based on a set of defined elements that capture the severity of the issue.”
This should put an end to “t-shirt-gate” (I still prefer the socks angle).
Internet security vet Graham Cluley, who earlier slammed the t-shirt practice, got a statement from High-Tech Bridge in response to Yahoo’s announcement:
We were not doing our research for money, as we clearly said to Yahoo. However, we are glad that Yahoo is introducing new Bug Bounty Program that will facilitate their relations with security researchers and help them improving their corporate security.
The only unclear point I have right now is comment from their CSO who says that he paid researchers from his own pockets. Such action definitely deserves respect, but does he get his salary by Yahoo vouchers as well?
Either way, Yahoo’s new program should sit a lot better with security researchers, and perhaps win the company a little more respect in the field. As Cluely notes, however, there is still that matter of the recycled email addresses.
Image: Yahoo Company Store