Yahoo established its formal bug bounty program nearly two years ago, and the company has paid out more than $1 million in rewards to researchers in that time. But security officials say the value the program has provided to the company has been just as great.
Although Yahoo was among the latter wave of major Web companies to offer a formal bounty program, the reward system has proven to be quite popular with researchers. Ramses Martinez, interim CISO and senior director at Yahoo, said Tuesday that the company has received more than 10,000 submissions from 1,800 researchers since the program began in November 2013.
Martinez said that one of the positive things to come out of the reward program is the constant feedback it provides to security engineers and developers at Yahoo.
“In the last year, the program evolved from a community sourced method of finding vulnerabilities to a key component of our application security program. One great example is how our Bug Bounty has become a feedback loop to determine the effectiveness of our application security controls,” Martinez said in a post on the company’s Tumblr.
“Our team uses each vulnerability report as a way to measure the impact of our developer training, effectiveness of scanning tools, and efficacy of source code reviews. This approach, over time, will lead to more secure applications and more secure Yahoo users.”
About 15 percent of all submissions Yahoo receives turn out to be valid vulnerabilities, Martinez said, and about half of the submissions are from just six percent of the researchers who submit bugs. Yahoo recently implemented a reputation system that has helped track the most prolific and successful submitters.
“The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program,” Martinez said.