14 DAY TRIAL // A few weeks ago, Yahoo was forced to reveal that it was working on a bug bounty program to reward researchers who discovered security bugs and vulnerabilities in its sites.
This came after one security company was quite upset over getting just a coupon in the company store, for Yahoo t-shirts, mugs, and the like, as thanks for the vulnerabilities it reported.
Yahoo defended itself saying that the store coupon was just something the security team gave researchers since there was no formal bug bounty program put in place. It wasn't meant as a slight, it was just a symbolic way of saying thanks.
The company also said it had been working on a bug bounty program and, now, that program is live. The new formal program seems to be doing things right.
On the one hand, there's now an official and single place to report bugs, with information on how to do it properly, for all Yahoo properties. The company has a team of security experts on call 24/7 to check and validate the reports.
All validated bugs will be added to a Wall of Fame, to give researchers a way of being recognized for their contributions. And, finally, yes, Yahoo will start handing out real cash for serious issues, anything from $250 (€185) to $15,000 (€11,100), from case to case.
"It is our hope that the official launch of this program will usher in a new, less-shirt-centric era for security at Yahoo. We look forward to open and productive collaboration with the community and doing our part to make the Internet more secure," Ramses Martinez, director of Yahoo Paranoids, wrote.
"Lastly, I want to thank the following people who made the launch of this program a reality: our friends at Google, Facebook, Hackerone, and Bugcrowd, for taking my calls and providing some very sage advice," he added.