Internet giant Yahoo has announced that its long awaited bug bounty program is now in full swing, offering cash rewards to researchers who responsibly disclose vulnerabilities in the company’s Yahoo and Flickr branded offerings.
“What an amazing experience the last twenty-nine days have been. The response from the security community to our announcement of a formal Yahoo bug bounty program has been extremely positive. Thank you!” said Ramses Martinez, Director, Yahoo Paranoids.
“All the meetings, emails, new contacts, and tons of discussions have all led to this…we are ready to launch our Bug Bounty Program.”
According to Martinez, the basic parameters of the program are as follows:
1) Reporting – You can now submit your vulnerability reports here: http://bugbounty.yahoo.com/. This allows you to easily capture the information needed so we can quickly validate every issue.
2) Validation – Submissions will continue to be validated 24×7 by our security team. We will also continue to manually respond to each submitter; our goal is to engage the security community in a personal and open manner.
3) Remediation – We pride ourselves in fixing submitted issues as quickly as possible. We hope that the new, more automated submission process will reduce remediation time even further.
4) Recognition – All validated issues will have the option of having your name appear on our ‘Wall of Fame.’ This page will have both our top-ten all time reporters as well as every valid report on a per-month basis. Let us know how you want to be recognized.
5) Reward – You can still get a t-shirt, but you will now also be paid for qualifying submissions. These amounts can vary from $250 – $15,000 depending on the severity and complexity of the issue.
To be eligible for the cash bounties offered, researchers must demonstrate they are the first to report a previously unknown vulnerability, and they must adhere to the responsible disclosure policies designed to allow Yahoo to mitigate the bugs prior to making any public announcements.
“It is our hope that the official launch of this program will usher in a new, less-shirt-centric era for security at Yahoo. We look forward to open and productive collaboration with the community and doing our part to make the Internet more secure,” Martinez said.
Read More Here…