Yahoo has splashed out over $1mn in bug bounty payments

Yahoo has announced that it has paid out in excess of $1 million to resourceful bug hunters who have sniffed out and reported security vulnerabilities.

The new Bug Bounty program from Yahoo marks a major change in terms of paying out decent wedges of cash for the discovery of a flaw, instead of the vouchers for T-shirts and other dubious Yahoo branded merchandise that the web giant used to give out.

The company noted that it has received 10,000 bug reports since the program kicked off, and 1500 of these have been given a bounty payment – meaning the average payment is something in the order of $670 (around £430).

Yahoo also stated that around 1800 participants are in the program, with a third of these having reported verifiable bugs. Half of all submissions are from the top 6 per cent of contributors, so things are weighted pretty heavily towards these tech-savvy dedicated bug hunters.

Ramses Martinez, Senior Director, Interim CISO at Yahoo, commented: “In the last year, the program evolved from a community sourced method of finding vulnerabilities to a key component of our application security program. One great example is how our Bug Bounty has become a feedback loop to determine the effectiveness of our application security controls.

“Our team uses each vulnerability report as a way to measure the impact of our developer training, effectiveness of scanning tools, and efficacy of source code reviews. This approach, over time, will lead to more secure applications and more secure Yahoo users.”