The security director of Yahoo has said that a lack of a formal bug bounty process led to the payment of $12.50 for a cross-site scripting (XSS) vulnerability.
In a blog, Yahoo security director Ramses Martinez said that after “an interesting 36 hours” the company has moved to address the issue with payments from $150 – $15,000 set to be introduced from the end of this month, with the payment amount determined by a clear system based on a set of defined elements that capture the severity of the issue.
He said: “We’re excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously.”
With regard to the criticism levelled at Yahoo for the small payment, that was revealed by researchers at High Tech Bridge, Martinez said that a payment would be made to them and to any other researcher who submitted bugs after 1stJuly.
He admitted that there was no formal process to recognise and reward people who sent issues to us and while it was fast to remedy issues, it didn’t have anything formal for thanking people that sent them in.
“I started sending a T-shirt as a personal ‘thanks’. It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money,” he said.
“It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a T-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.”
As a result of an inbox full of angry messages, Martinez said that Yahoo is now working on the payment, on an improved reporting process and issue validation and better recognition.
