Yahoo has quickly revamped its vulnerability reporting and handling mechanism after it was ridiculed for handing out $12.50 per XSS vulnerability just a couple of days back.
Explaining its stand and on vulnerability reporting and the way it has been handled till now, Ramses Martinez, Director, Yahoo Paranoids acknowledged that Yahoo has been quick in remediating the reported vulnerabilities “but didn’t have anything formal for thanking people that sent them in.”
Martinez said that he initially started sending out Yahoo T-shirts to vulnerability researchers with his own money. There were instances wherein researchers started reverting saying that they already had a T-shirt with them following which Martinez started “buying a gift certificate so they could get another gift of their choice.” The director of Yahoo Paranoids claimed that the team was already giving finishing touches to company’s vulnerability reporting program when the “t-shirt-gate” hit.
Yahoo’s new policy promises easier bug reporting, faster assessment and response followed by a fix and then ultimately proper respect to researchers who found the bugs and reported them in the first place. The Internet giant will now be offering proper cash rewards starting from $150 to as high as $15,000 depending on how unique and how much risk that particular vulnerability carries. Martinez said that cash rewards “will be determined by a clear system based on a set of defined elements that capture the severity of the issue.”
Yahoo has also revealed that the system will go into effect by the end of October, but it will be offering backdated rewards starting July 1. Martinez added that those who got a t-shirt for reporting vulnerability after July 1 will be contacted again.
“This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt”, concludes Martinez.
