Yahoo used to really know how to treat the vulnerability researchers who found bugs in its services.
They used to send them a voucher for a free Yahoo t-shirt.
Sadly, those glory days are now over after bug hunters pointed out - quite reasonably - that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn't really the best way to reward someone who found a serious vulnerability in Yahoo Mail.
Here are the main stats the company shared:
- To date, we’ve paid out +$1M to security vulnerability reporters.
- Submissions since the inception of the program have now reached the 10,000 mark.
- Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
- The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
- More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
- 50% of the submissions are from the top 6% set of contributors.
- 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.
1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.
Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That's a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?
So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of.... uh oh.. hang on.. 1 million divided by 1500. That's umm.. 666.66666666 (recurring).
Maybe it's a good thing they said it was over a million dollars.