Yahoo admits its bug bounty goof, and stops offering free t-shirts

Graham Cluley
Graham Cluley
@[email protected]

No Yahoo t-shirt. SorryFor a while there I thought there had been so much bad news for Yahoo recently, that it ran the risk of wrestling the security dumbo award from its normal home in the tight grip of the Oracle Java team.

Leaving aside the absurd debacle of its recycled email address scheme, and its CEO not thinking that having a passcode on her smartphone might be a good idea, they found themselves in the firing line for their “Find a bug in Yahoo Mail and we’ll give you $12.50 to buy one of our lousy t-shirts” slap-in-the-face for vulnerability researchers.

However, Yahoo appears to be trying to mend some of the damage.

In a self-effacing blog post entitled “So I’m the guy who sent the t-shirt out as a thank you”, Ramses Martinez, a director for Yahoo Paranoids (one assumes that’s the cutesy name for Yahoo’s security department) described the new bounty programme.

Yahoo bug bounty

Out go the t-shirt vouchers which can only be spent in the Yahoo Corporate Store. In come generous-sized bounties for researchers who responsibly disclose vulnerabilities to Yahoo’s security team.

Here are some details of the process and improvements Martinez says his team at Yahoo will be putting in place by the end of the month:

1) Reporting – We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.

2) Issue Validation – Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.

3) Issue Remediation – Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24×7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.

4) Recognition – Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”

5) Reward – Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 – $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.

I asked High-Tech Bridge, who highlighted Yahoo’s curious response to vulnerability researchers in the first place, for their thoughts on this change.

Ilia Kolochenko, the CEO of High-Tech Bridge said:

We were not doing our research for money, as we clearly said to Yahoo. However, we are glad that Yahoo is introducing new Bug Bounty Program that will facilitate their relations with security researchers and help them improving their corporate security.

The only unclear point I have right now is comment from their CSO who says that he paid researchers from his own pockets. Such action definitely deserves respect, but does he get his salary by Yahoo vouchers as well?

To be fair, Yahoo has handled its PR crisis well and with good humour. Their openness and willingless to make amends to the people who had received a risible store voucher was definitely the right approach.

Sign up to our free newsletter.
Security news, advice, and tips.

So, just two more things to sort out.

Yahoo’s head of security needs to have a quiet word in Marissa Mayer’s ear about the importance of locking her iPhone.

And they *really* need to be as open and honest about their moronic recycling email idea – which is conceived to convenience their current and future users, rather than protect the privacy and security of their legacy customers.

So, how about it Yahoo?

Or are you that keen to knock Oracle off its perch?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Yahoo admits its bug bounty goof, and stops offering free t-shirts”

  1. jobewan

    Hmmm . . "Yahoo! paranoids." Couple of things I guess:

    – This seems like an effort on the part of the organization to keep the security folks down; in a contextually similar manner to the phrase: "The man is keeping me down."

    – Calling seasoned security professionals capable of protecting a bastion of apparent dumbness like Yahoo! from itself and others "paranoids" I think regardless of org culture, is a bit like calling Ms. Mayer (as an example only), "A hot chick"; "Babe"; "Hottie"; "Dog" (depending on whether one is attracted by hot blondes, or not).

    The comparison is clearly riddled with flaws to be sure, but the demeaning nature of both behaviors in the larger workplace fabric may well be spot on.

    – One is only truly paranoid, if 'They' are not really after one. And since 'They' are most assuredly after Yahoo and every other web presence of any signficance, then the moniker is technically incorrect, metaphorically incompetent, and just generally more than a little insulting.

    But maybe that's just me. I'm a 'paranoid'. ‘Not’.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.