Yahoo! dumped T-shirt bounties for money rewards, after a team of Swiss security researchers publicly shamed the tech giant for offering clothing discounts instead of dollars. The branded T-shirt rewards will be replaced with bounties between $150 and $15,000 for vulnerabilities classified as “new, unique and/or high risk.”
In September, Yahooâ€™s reputation was seriously shaken by Swiss security company High-Tech Bridge, who found four serious vulnerabilities in the network, three of which could have allowed hackers to hijack any email account. The cross-site scripting flaws have been fixed in the meantime, but the Swiss researchers were only offered $12.50 t-shirts as a reward.
â€œWe recently decided to improve the process of vulnerability reporting,â€ Ramses Martinez, Director at Yahooâ€™s security team â€œParanoidsâ€, said in a blog post.
â€žMy â€˜send a t-shirtâ€™ idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning â€˜t-shirt-gateâ€™ hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?â€
The Yahoo director said the T-shirt idea came up because the company didnâ€™t have a formal process to reward people who warned them about vulnerabilities. â€œI even bought the shirts with my own money,â€ Martinez said.
High-Tech Bridge researchers found the first Yahoo XSS vulnerability in just 45 minutes. The company didnâ€™t acknowledge it because it was already reported, without providing any evidence. After the Swiss researchers discovered other security flaws, the tech giant eventually included them in the Bounty Program.
â€œYahoo warmly thanked us for reporting the vulnerabilities and offered usâ€¦ 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability,â€ High-Tech Bridge said. â€œMoreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahooâ€™s corporate t-shirts, cups, pens and other accessories.â€
â€œYahoo should probably revise their relations with security researchers,â€ High-Tech Bridge CEO Ilia Kolochenko said. â€œPaying several dollars per vulnerability is a bad joke and wonâ€™t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers.â€
Yahoo will ditch T-shirts for cash as of the end of October and will also retroactively reward researchers who found vulnerabilities going back to July 1. The company will determine the amount based on a set of elements that capture the severity of the issue and will update their â€œhall of fameâ€ for the best reported issues. The tech giant will also revise the bounty offered for High-Tech Bridge â€œwho didn’t likeâ€ their t-shirt.
Companies such as Google and Facebook offer big bounties for vulnerability reporting. The search engine giant pays up to $20,000 for serious flaws, while Facebook gives at least $500. On Bugcrowd.com, ethical hackers who dig for vulnerabilities may find a list of what many companies do for bug and vulnerability reports.