Yahoo pays out equivalent of 80,000+ t-shirts to bug finders

Yahoo mugYahoo used to really know how to treat the vulnerability researchers who found bugs in its services.

They used to send them a voucher for a free Yahoo t-shirt.

Sadly, those glory days are now over after bug hunters pointed out – quite reasonably – that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn’t really the best way to reward someone who found a serious vulnerability in Yahoo Mail.

In a blog post this week, interim Yahoo CISO Ramses Martinez announced that the company’s bug bounty program has now paid out over $1,000,000 USD.

Sign up to our free newsletter.
Security news, advice, and tips.

Here are the main stats the company shared:

  • To date, we’ve paid out +$1M to security vulnerability reporters.
  • Submissions since the inception of the program have now reached the 10,000 mark.
  • Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
  • The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
  • More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
  • 50% of the submissions are from the top 6% set of contributors.
  • 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.

Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That’s a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?

So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of…. uh oh.. hang on.. 1 million divided by 1500. That’s umm.. 666.66666666 (recurring).

Maybe it’s a good thing they said it was over a million dollars.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Yahoo pays out equivalent of 80,000+ t-shirts to bug finders”

  1. Anonymous

    A step in the right direction.

  2. Coyote

    "1 million divided by 1500. That's umm.. 666.66666666 (recurring).

    Maybe it's a good thing they said it was over a million dollars."

    If $666.66 worked for the Apple I, why not here ?

  3. Jim Goodyear

    After the way that i see them run their search engine (badly) and the way that they have treated their Flickr customers (badly), i wouldn't wear their T Shirt if you paid me, and believe me, i love a free T Shirt !!

  4. Anonymous

    If Yahoo gives a shirt or a 12.50 voucher for a security flaw, I'm not going to give *THEM* the info.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.