Yahoo announced that it has paid security researchers one million dollars as part of its bug bounty program. According to a post written by Ramses Martinez, Senior Director and Interim CISO at Yahoo, the company's bug bounty program, which The State of Security named one of our 11 Essential Bug Bounty Programs in 2015, has shown significant growth over the past year.
"2015 has been a pivotal year for the Yahoo Bug Bounty program," Martinez writes. "Our community engagement is at an all time high and our team is able to triage and fix bugs faster than ever. In the last year, the program evolved from a community sourced method of finding vulnerabilities to a key component of our application security program."
Before 2013, Yahoo awarded all security researchers a $12.50 voucher regardless of the severity of the vulnerabilities they uncovered. Following numerous complaints, HackerOne helped Yahoo launch an improved bug bounty program. Martinez goes on to explain that under the new program, Yahoo has given out rewards as high as $15,000, with awards starting at $150. More than 1,800 researchers have participated in the bug bounty program thus far, with over 600 verifiable vulnerabilities being reported to Yahoo. Of those who have reported bugs, half of all submissions have originated from the top 6 percent of contributors to the program. In total, Yahoo has provided $1 million in rewards to security researchers since 2013.
One of the improvements that has facilitated this type of growth is the implementation of a reputation system.
"This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid," Martinez explains. "The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program."
To learn more about Yahoo's bug bounty program, please click here.
