Yahoo pays out equivalent of 80,000+ t-shirts to bug finders

Yahoo used to really know how to treat the vulnerability researchers who found bugs in its services.

They used to send them a voucher for a free Yahoo t-shirt.

Sadly, those glory days are now over after bug hunters pointed out – quite reasonably – that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn’t really the best way to reward someone who found a serious vulnerability in Yahoo Mail.

In a blog post this week, interim Yahoo CISO Ramses Martinez announced that the company’s bug bounty program has now paid out over $1,000,000 USD.

Here are the main stats the company shared:

• To date, we’ve paid out +$1M to security vulnerability reporters.
• Submissions since the inception of the program have now reached the 10,000 mark.
• Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
• The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
• More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
• 50% of the submissions are from the top 6% set of contributors.
• 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.

Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That’s a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?

So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of…. uh oh.. hang on.. 1 million divided by 1500. That’s umm.. 666.66666666 (recurring).

Maybe it’s a good thing they said it was over a million dollars.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.