Industry News

Yahoo! Dumps T-shirt Bounties for Serious Cash

Yahoo! dumped T-shirt bounties for money rewards, after a team of Swiss security researchers publicly shamed the tech giant for offering clothing discounts instead of dollars. The branded T-shirt rewards will be replaced with bounties between $150 and $15,000 for vulnerabilities classified as “new, unique and/or high risk.”

Yahoo! Dumps T-shirt Bounties for Serious CashIn September, Yahoo’s reputation was seriously shaken by Swiss security company High-Tech Bridge, who found four serious vulnerabilities in the network, three of which could have allowed hackers to hijack any email account. The cross-site scripting flaws have been fixed in the meantime, but the Swiss researchers were only offered $12.50 t-shirts as a reward.

“We recently decided to improve the process of vulnerability reporting,” Ramses Martinez, Director at Yahoo’s security team “Paranoids”, said in a blog post.

„My ‘send a t-shirt’ idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning ‘t-shirt-gate’ hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?”

The Yahoo director said the T-shirt idea came up because the company didn’t have a formal process to reward people who warned them about vulnerabilities. “I even bought the shirts with my own money,” Martinez said.

High-Tech Bridge researchers found the first Yahoo XSS vulnerability in just 45 minutes. The company didn’t acknowledge it because it was already reported, without providing any evidence. After the Swiss researchers discovered other security flaws, the tech giant eventually included them in the Bounty Program.

“Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability,” High-Tech Bridge said. “Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories.”

Yahoo! Dumps T-shirt Bounties for Serious Cash
One of the XSS vulnerabilities affecting Yahoo displayed user cookies. Source: High-Tech Bridge

“Yahoo should probably revise their relations with security researchers,” High-Tech Bridge CEO Ilia Kolochenko said. “Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers.”

Yahoo will ditch T-shirts for cash as of the end of October and will also retroactively reward researchers who found vulnerabilities going back to July 1. The company will determine the amount based on a set of elements that capture the severity of the issue and will update their “hall of fame” for the best reported issues. The tech giant will also revise the bounty offered for High-Tech Bridge “who didn’t like” their t-shirt.

Companies such as Google and Facebook offer big bounties for vulnerability reporting. The search engine giant pays up to $20,000 for serious flaws, while Facebook gives at least $500. On, ethical hackers who dig for vulnerabilities may find a list of what many companies do for bug and vulnerability reports.


About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.