Yahoo! Ups Bug Bounties after T-Shirt Gate
Joining the ranks of Google, Facebook, Microsoft, Mozilla, and others, Yahoo! will now offer payments or so-called bounties to developers and security researchers for finding security vulnerabilities in their software and applications. However, as with some of the other initiatives in the Marissa Mayer era, this move is not without some controversy.
"T-shirt gate" is what numerous media outlets are calling Yahoo!’s move to finally reward those who discover bugs with cash payments instead of a Yahoo! T-shirt. Really. Global information security services firm High-Tech Bridge got it going when they issued a press release titled “What’s your email security worth? 12 dollars and 50 cents according to Yahoo!.”
High-Tech Bridge found four XSS vulnerabilities in Yahoo!'s network and lamented that, although they were “warmly thanked” by Yahoo!, the reward was $12.50 USD. The amount was a discount code that can only be used in the Yahoo! Company Store, which sells (what else?) Yahoo!’s corporate T-shirts, cups, and pens. While noting that money is not the only motivation, the company said, “At this point we decided to hold off on further research.”
Today, most companies do provide some financial incentive for reporting bugs, as ZDNET noted in their t-shirt gate article:
In a world where cybersecurity is a hot topic and cyberattacks are commonplace, having a good relationship with outside sources that are willing to tell you about a security flaw -- before a hacker uses it and potentially costs the company far more than a few thousand dollars or so reward -- is simply good practice.
Accompanying the PCWorld article on t-shirt gate is a link to a related story on the merits of bug bounty programs, citing a research study from the University of California, Berkeley that showed paying rewards to independent security researchers for finding software problems can be a cost-effective investment.
After the story broke, Ramses Martinez, director of the security team Yahoo! Paranoids, penned a blog post that noted “My ‘send a t-shirt’ idea needed an upgrade” and fast forwarded a preview of Yahoo!’s new vulnerability reporting policy that Martinez says is due to be released by October 31, 2013.
If you’re interested, here is Bugcrowd’s list of bug bounty programs.