Yahoo has launched its first bug bounty program after what it called an “extremely positive” response from the security community.
The company was criticised after it “rewarded” a vulnerability disclosure of a cross-site scripting flaw with a $12.50 voucher for a T-shirt. After reviewing its policies, Yahoo security director Ramses Martinez said that a bug bounty program would be rolled out by the en d of October and true to their word, the policy was announced yesterday.
Martinez said that it was Yahoo’s hope “that the official launch of this program will usher in a new, less-shirt-centric era for security at Yahoo”.
He said: “We look forward to open and productive collaboration with the community and doing our part to make the internet more secure.”
The program will reward with amounts from $250-$15,000 depending on the severity and complexity of the issue, with a T-shirt still offered, with submissions to the website to be validated by the security team as well as manually responding to each submitter in order “to engage the security community in a personal and open manner”.
Also, all validated issues will have the option of having your name appear on a “Wall of Fame” that will have both the top-ten all time reporters and every valid report on a per-month basis.
The submitted issue must be one of the following type of vulnerabilities: Cross-Site Scripting; SQL Injection; Open Redirect; Remote Code Execution; Cross-Site Request Forgery; Directory Traversal; Information Disclosure; Content Spoofing and Clickjacking.
Among those excluded are no longer supported software, non-web applications and any non-Yahoo applications, unless it’s a Yahoo modified or branded version of this software. Also any non-Yahoo owned partner sites or mobile apps are not eligible.
However any bugs on Yahoo, Flickr or branded mobile apps and client side applications are eligible.
Among those acknowledged for helping make the launch of the program a reality was Bugcrowd. CTO Serge Belokamen told IT Security Guru that he was “very excited for them and for the researchers” and it was “all for a good cause”.
Casey Ellis, founder and CEO of Bugcrowd, said: “We got in touch with them after the $12 T-shirt fracas to offer our assistance with calming the whole thing which we helped with what they should be considering moving forward with the bounty programme.
“I think the offer is standard, they have landed where fair market value is for a company of their size; if you compare their bug payout to what you see from Google and Facebook and companies of a similar size and reputation, what they are offering is pretty good and what we have seen them payout is pretty good too as a number of testers got in touch with us to say they received a notification of eligibility for a reward, and they seem to be doing the right thing which is good.
Commenting, Robert Hansen, technical evangelist at WhiteHat Security, said: “
One thing that makes Yahoo’s bug bounty a little different than most of the others is the size and scope of Yahoo’s websites.
One thing that makes Yahoo’s bug bounty a little different than most of the others is the size and scope of Yahoo’s websites.
“They have one of the most prolific sets of applications of any website, due in large part to the number of acquisition and age of the domain – being one of the oldest surviving websites out there. The scale of their site is what makes it interesting; there’s a lot for bug hunters to test.”
