Yahoo abandons T-shirt rewards for vulnerability information

Starting Oct. 31, Yahoo will pay between US$150 to $15,000 for flaws, in line with bounties paid by Facebook and Google
  • Jeremy Kirk (IDG News Service)
  • — 03 October, 2013 03:42

Yahoo will stop giving T-shirts as a reward for finding security vulnerabilities after a public shaming it's calling "t-shirt gate."The company received a drubbing from the Swiss security company High-Tech Bridge after it found four serious vulnerabilities in Yahoo's network, all of which have now been fixed. Three of those problems -- cross-site scripting flaws -- could have allowed an attacker to hijack a person's Yahoo email account.

Starting Oct. 31, Yahoo will pay rewards ranging from US$150 to $15,000 for vulnerabilities provided those flaws are new, unique or high risk. It plans to retroactively reward researchers who notified the company of issues going back to July 1, wrote Ramses Martinez, director of Yahoo's security team, in a blog post on Wednesday.

"This includes, of course, a check for the researchers at High-Tech Bridge who didn't like my t-shirt," Martinez wrote.

High-Tech Bridge issued a press release on Monday saying Yahoo offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store.

As a result, High-Tech Bridge said it would hold off doing more research on Yahoo's network. The company wrote that Yahoo's reward was "a bad joke."

Many large companies such as Google and Facebook offer lucrative bounties for vulnerability information. Google will pay up to $20,000 for a qualifying vulnerability, and Facebook pays a minimum of $500.

It's cheaper for companies to pay for vulnerability information rather than hire full-time researchers. It also helps dissuade researchers from turning to hacking forums to monetize their information, where it might be used to do harm.

Yahoo never had a formal process for recognizing security researchers. Martinez wrote that he began started sending T-shirts to researchers to express thanks.

"I even bought the shirts with my own money," he wrote.

But Yahoo had recently decided to improve its vulnerability reporting program. While Yahoo acted fast on the vulnerability information it received, "my 'send a t-shirt' idea needed an upgrade," Martinez wrote.

"This month the security team was putting the finishing touches on the revised program," he wrote. "And then yesterday morning 't-shirt-gate' hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?"

Yahoo also plans to improve its Web page where researchers can send in security issues. Researchers will be contacted within two weeks, Martinez wrote. Those who successfully submit valid flaws can also get an email or written letter than can be used as a reference for their work.

"For the best reported issues, we will directly call out from our site an individual's contribution in a 'hall of fame,'" he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Tags: Yahoo, security, data protection, Exploits / vulnerabilities, malware

Aussie cops: Silk Road TOR anonymity 'not guaranteed'

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.