14 DAY TRIAL // Over the past few days, Yahoo has been getting some criticism over its bug bounty program, or lack thereof. This came after the researchers at High-Tech Bridge complained that all they got for reporting two serious XSS vulnerabilities was 25 dollars’ worth (€18.38) of Yahoo store credit, good for a couple of t-shirts which, presumably, read "I fixed a critical Yahoo vulnerability and all I got was this lousy t-shirt."
But it turns out the researchers got a bit too hot and bothered over the whole deal, as the Yahoo employee who came up with the t-shirt idea explained.
Yahoo doesn't have a formal bug-bounty program, i.e. it doesn't pay independent researchers over the vulnerabilities they report. However, Ramses Martinez, the director of Yahoo Paranoids, wanted some way of rewarding the researchers so he started sending them Yahoo t-shirts.
This wasn't a formal program, it was just something he thought of, and sometimes even paid for the t-shirts out of his own dime. But as some researchers started replying that they already had a t-shirt, Martinez switched to a gift card for the Yahoo store.
"I started sending a t-shirt as a personal 'thanks.' It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf," Martinez explained.
It was a symbolic reward mostly and it came with a more official thank you letter from Yahoo, which is much more useful to researchers and security companies.
Still, after the whole "t-shirt gate," as Yahoo dubbed it, things blew up. The company decided to announce that it was implementing a proper bug bounty program itself, with rewards ranging from $150 (€110.27) to $15,000 (€11,026). Yahoo says the program was already in the works, but is not quite finished. Still, it decided to announce it early to sway some of the critics.
The rewards are also retroactive, so even High-Tech Bridge will get paid for its contributions. The security company hasn't said anything about this new turn of events.