Post T-Shirt-Gate, Yahoo Offers Up To $15k Bug Bounty

Researchers will get more than corporate swag for finding flaws

Yahoo has announced a bigger bug bounty programme just days after it was pilloried for fobbing off researchers, who found potentially serious flaws in the web giant’s security, with a $12.50 (£17.70) voucher for t-shirts and other merchandise.

The company will now be offering anywhere between $150 (£92) and $15,000 (£9200), depending on the severity of the vulnerability. It is also setting up a “hall of fame”, akin to Google’s version, and a new site to make bug reporting easier.

Yahoo - Shutterstock - © Eric Broder Van DykeYahoo bug bounty promise

Earlier this week, researchers revealed that, after they uncovered a slew of cross-site scripting flaws, which would allow crooks to break into Yahoo user accounts, they were offered a paltry reward. The experts from High-Tech Bridge had found a way to steal “auth cookies” which determine whether a user is logged in or not, and Yahoo offered them merchandise.

Yahoo denied that its new programme was a response to criticism, saying it was already working on a new bug bounty system before the furore.

“This month the security team was putting the finishing touches on the revised program. And then yesterday morning ‘t-shirt-gate’ hit,” said director of the Yahoo security team, Ramses Martinez, in a blog post.

“My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?

“So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early.”

The updated policy will land on 31 October, but will work retroactively back to 1 July. “This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt,” added Martinez.

Yahoo isn’t the first company to face the wrath of the security community over reward and recognition. PayPal received widespread criticism for not paying a 17-year-old who found a flaw.

And Facebook was panned for not giving a researcher money as the company claimed the bug reports were not clear enough. The security community responded with its own crowdsourced reward.

What do you know about Internet security? Find out with our quiz!