14 DAY TRIAL // Over the past few couple of days, Yahoo has been heavily criticized by the security community after rewarding security researchers who identified XSS vulnerabilities with $12.5 (€9) coupons. To prove that it is taking security seriously, Yahoo has provided a preview of its new bug bounty program.
The company’s representatives say they’re still putting the finishing touches on the program, but because of all the controversy, they’ve decided to show security experts what to expect.
The vulnerability reporting policy is expected to be launched by October 31, 2013. What’s important to note is that it will be implemented retroactively back to July 1, 2013, so if you've reported anything over the past summer, you’ll be rewarded.
Let’s take a better look at the details of the program.
First of all, Yahoo’s new website will allegedly make the reporting process easier and clearer. The company claims that it’s already reviewing security reports within minutes, or at most hours. However, the new reporting process will improve overall quality and speed.
Yahoo also promises to fix the reported vulnerabilities faster than it has until now.
As far as recognition and rewards are concerned, Yahoo says that it will contact directly the individuals or organizations whose submitted issues have been validated.
“People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate,” Ramses Martinez, director at Yahoo Paranoids, noted.
In addition to formal recognition, the best reported issues will also be listed in a hall of fame.
More importantly, the rewards will be much higher than $12.5 (€9). Yahoo promises rewards ranging between $150 (€110) and $15,000 (€11,000).