News

Yahoo paid out more that $1 million to vulnerability reporters in their Bug Bounty Program

Yahoo has revealed that it has spent more than $1 million dollars for security researchers participating in their Bug Bounty Program.

In a post on the social networking site Tumblr, Ramses Martinez, senior director and interim chief information security officer for Yahoo, said that at least 10,000 submissions were received, with approximately 1,500 tips resulting in a bounty payout.

Martinez described 2015 as a pivotal year for the program, and that it has evolved from a community-based method to root out vulnerabilities to a key component of Yahoo's application security program.

The program has had a healthy response rate from bug reporters, with the current monthly validity rate of submissions jumping to 15% from a 10% figure at the end of 2014. The payout for each verified bug starts at $50 and can go as high as $15,000.

However, only the first person to report an issue will be considered for the bounty; the money will be paid out only after Yahoo's security team implements a fix for the vulnerability. Until that process is concluded, which may take up to 90 days, researchers are forbidden to discuss their discoveries about vulnerabilities publically.  

The issues covered by the Bug Bounty Program fall under traditional online attack methods such as Cross-Site Scripting, SQL injection, and Remote Code Execution, as well as Information Disclosure and Content Spoofing.

Yahoo has implemented a reputation system to accompany the Bug Bounty program, which awards points to researchers after reporting a verifiable security bug. Yahoo also assigns a severity value to each discovered bug, which is also reflected in the points that researchers earn through the reputation system.

Currently, Yahoo's Bug Bounty program only covers technical vulnerabilities on Yahoo-owned applications and properties, such as the main Yahoo domain and flickr.com. However, Yahoo Australia and Yahoo New Zealand are not covered in the Bug Bounty Program.

Researcher Sean Melia, who was Yahoo's top contributor for 2015, hopes the bug bounty programs continue to expand and improve since it's "a great opportunity for corporations and security researchers to work together".


Real Time Analytics