As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error.
The company caught flak when in September when it was reported that the $12.50 – a scant prize as it is – came as a discount code that could be used toward Yahoo-branded merchandise like t-shirts, cups and pens from its store.
Yahoo’s Security Director Ramses Martinez addressed the program’s rules in a post to its Developer Network Tumblr Thursday, joking that he hopes the program will “usher in a new, less-shirt-centric era for security at Yahoo.”
Researchers can now officially submit vulnerabilities they find in Yahoo and Flickr-branded apps and websites to the company via bugbounty.yahoo.com.
The laundry list of vulnerabilities eligible for a bounty is about on par with the lists of other websites who recently started programs of their own (Google, Facebook):
- Cross-Site Scripting
- SQL Injection
- Open Redirect
- Remote Code Execution
- Cross-Site Request Forgery
- Directory Traversal
- Information Disclosure
- Content Spoofing
As Martinez acknowledged in early October, the program will reward researchers who discover a previously unknown technical vulnerability and responsibly disclose it. Researchers will be rewarded with between $250 and $15,000 depending on the severity and complexity of the issue. Martinez adds that submissions will be validated 24 hours a day and seven days a week and that members of Yahoo’s security team will personally respond to everyone who submits a bug.
As with most bug bounty programs there’s a little bit of a gray area when it comes to other vulnerabilities that may not fit into a category above. Yahoo promises it will find another way to recognize researchers’ efforts for random vulnerabilities on other Yahoo-branded sites as long as they’re not related to networking protocol issues, social engineering or found in software that is no longer supported.
Much like Facebook does with researchers who responsibly disclose issues, Yahoo will now display the names of those who report vulnerabilities on what it’s calling a “Wall of Fame.”
The company’s lack of best practices was brought to light earlier this fall when High-Tech Bridge a Swiss security firm sent along a series of XSS vulnerabilities to firstname.lastname@example.org. Each one was met with a $12.50 Yahoo store credit.
As expected, the security community was incensed and Yahoo eventually responded, rewarding High-Tech Bridge with $1,000 for the vulnerabilities and after “meetings, emails, new contacts, and tons of discussions ,” ultimately the formation of the company’s new bug bounty program.