Yahoo pays out equivalent of 80,000+ t-shirts to bug finders

Graham Cluley

Yahoo mugYahoo used to really know how to treat the vulnerability researchers who found bugs in its services.

They used to send them a voucher for a free Yahoo t-shirt.

Sadly, those glory days are now over after bug hunters pointed out – quite reasonably – that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn’t really the best way to reward someone who found a serious vulnerability in Yahoo Mail.

In a blog post this week, interim Yahoo CISO Ramses Martinez announced that the company’s bug bounty program has now paid out over $1,000,000 USD.

Here are the main stats the company shared:

  • To date, we’ve paid out +$1M to security vulnerability reporters.
  • Submissions since the inception of the program have now reached the 10,000 mark.
  • Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
  • The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
  • More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
  • 50% of the submissions are from the top 6% set of contributors.
  • 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.

Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That’s a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?

So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of…. uh oh.. hang on.. 1 million divided by 1500. That’s umm.. 666.66666666 (recurring).

Maybe it’s a good thing they said it was over a million dollars.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Yahoo pays out equivalent of 80,000+ t-shirts to bug finders”

  1. "1 million divided by 1500. That's umm.. 666.66666666 (recurring).

    Maybe it's a good thing they said it was over a million dollars."

    If $666.66 worked for the Apple I, why not here ?

  2. After the way that i see them run their search engine (badly) and the way that they have treated their Flickr customers (badly), i wouldn't wear their T Shirt if you paid me, and believe me, i love a free T Shirt !!

  3. If Yahoo gives a shirt or a 12.50 voucher for a security flaw, I'm not going to give *THEM* the info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.