Skip to main content

Following $12.50 “t-shirt-gate”, Yahoo is now offering up to $15,000 in bug bounty

At the start of this week Swiss cyber security firm High Tech Bridge caused somewhat of a stir.

The firm identified a couple of Yahoo vulnerabilities, including one that allowed it to gain access to user's emails, reported them to Yahoo, then revealed to the world that all the Internet giant offered by way of bug bounty was $12.50 (£7.70) - in Yahoo store credit.

Yes, for revealing to Yahoo a serious security flaw, one that could be worth quite a bit to black hat hackers and cybercriminals, the firm could choose between items such as a Yahoo t-shirt, pen and rubber duck.

As Ilia Kolochenko, High-Tech Bridge's CEO, put it: "Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."

Yahoo, has now answered that call and majorly overhauled its bug bounty scheme. The firm will now offer anything between $150 (£92.50) right up to a whopping $15,000 (£9,250), to individuals and firms that identify what Yahoo classifies as a "new, unique and/or high risk issue".

Taking Kolochenko's advice, the company is also planning to follow Google's lead and set up a hall of fame for individuals who report the biggest issues.

Google currently offers up to $20,000 (£12,300) in reward money to those who identify vulnerabilities, whilst Facebook offers a $500 (£308) flat rate, although as Palestinian hacker Khalil Shreateh found, they don't always like to hand it out.

Taking the wrap for Yahoo's majorly outdated store credit reward, Yahoo's security director Ramses Martinez, wrote on Tumblr: "So, I am the guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been."

He then claims that Yahoo was in fact already in the process of updating their vulnerability reporting process and the "send a t-shirt" policy, before "t-shirt-gate hit". "So rather than wait any longer, we've decided to preview our new vulnerability reporting policy a bit early," he added.

The new policy is set to be fully released by the end of the month, but the new bug bounty reward scheme is going to implemented retroactively back to 1 July of this year, meaning anyone who has reported a security issue since then will receive a cash reward.

"This includes, of course, a check for the researchers at High-Tech Bridge who didn't like my t-shirt," Martinez said.