Friday, May 29, 2015

Yahoo Finally Launches Bug Bounty Program to Reward Hackers




Yahoo-launches-bug-bounty-program

After offering one hacker a grand total of $25 dollars to buy Yahoo-themed swag (such as T-shirts, “poopy bag dispensers,” or purple rubber ducks), Yahoo is getting serious at rewarding friendly hackers, announcing a program that will offer rewards of up to $15,000.


The company said on Thursday that it had been planning to announce the program for the last month, but decided to fast-track the launch after the incident it referred to as “t-shirt-gate.”




In a blog post titled “So I’m the guy who sent the t-shirt out as a thank you,” Yahoo’s security team director Ramses Martinez revealed that, until now, he personally sent researchers T-shirts and thank you notes as reward for uncovering vulnerabilities or bugs and reporting them to Yahoo.


“It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf,” he wrote.


Now there will be no more T-shirts. Researchers and hackers will get rewards of at least $150, and up to $1,500 for their discoveries. The company will also give them formal recognition in the form of an email or letter, and, in the case of really serious bugs, Yahoo will induct the researcher into a newly created “hall of fame.”


With this announcement, Yahoo joins scores of other companies that have so-called bug bounty programs, which have the dual goal of encouraging researchers to report bugs and foster a good relationship with independent, friendly hackers.


Google, Microsoft, and Facebook already have programs, although Facebook had its own PR misstep when it refused to reward a Palestinian hacker who broke into Mark Zuckerberg’s timeline. The hacker eventually got rewarded with more than $11,000 by a crowdsourced campaign.


What’s more, Martinez announced that the program is retroactive and researchers who reported bugs after July 1, 2013, will get rewarded too. That includes Ilia Kolochenko, who found three serious vulnerabilities in Yahoo mail on Sept. 23, and was then offered a gift voucher of $25.


Kolochenko, who is the CEO of security firm High Tech Bridge, told Mashable that Yahoo still hasn’t contacted him for a reward, but he’s glad it is changing its policies. And he said he was surprised to find out Martinez paid rewards with his own money.


“Such action definitely deserves big respect, but does he get his salary by Yahoo gift-vouchers as well?” he wrote in an email. “I have a feeling that Yahoo’s top management, who didn’t provide their security team with enough funding before our post, now tries to put the blame on the CSO and his team, who reacted rapidly and made good changes to their reward policy. That’s not very fair.”


UPDATE, Oct. 3, 3:04 p.m.: In the event of receiving a monetary award, Ilia Kolochenko said High Tech Bridge will donate it to the non-profit security Open Security Foundation.


Image: Flickr, carvalho


Read more: http://mashable.com/2013/10/03/yahoo-bug-bounty-program/




Yahoo Finally Launches Bug Bounty Program to Reward Hackers

bug, bug bounty program, hackers, U.S., US & World, vulnerability, world, Yahoo, Yahoo Mail

No comments:

Post a Comment