Earlier this week, Yahoo was accused of using change in its sofa cushions as compensation for reports of security exploits, but now the whole ordeal has generated enough buzz to bring about change for the internet pioneer. As it turns out, these small prizes (along with rewards such as t-shirts) were paid for out of pocket by Ramses Martinez, the director of Yahoo’s security team, who took a moment today to explain the company’s new — and far more lucrative — bounty program. Moving forward, Yahoo will reward security researchers with payments that range between $150 and $15,000 for issues that it deems “new, unique and / or high-risk.”
The company is still in the early stages of hammering out a new policy, but promises that payments will be determined “by a clear system based on a set of defined elements that capture the severity of the issue.” Yes, these amounts still pale in comparison to the massive sums that Microsoft recently offered, but researchers now have reasonable incentive to inform Yahoo of the exploits, rather than sell them on the black market. According to Martinez, Yahoo’s revised policy will be available by the end of the month, and as a nice gesture, its new reward structure will retroactively apply to all bugs submitted from July 1st onward.
Filed under: Internet
Source: Yahoo! Developer Network
Kim Dotcom has brashly put forward a $13,500 bounty that will be the reward for the first person who successfully breaks into his Mega system’s security. I guess that amount of cash will mean something to most people, but for someone of his stature and cash reserves, it surely does not reflect the kind of confidence (IMHO) in Mega’s security system, no? I wonder which enterprising hacker will walk away with the €10,000 bounty (which is roughly $13,500 after conversion), and from which country he/she is from.
