Yahoo pays out equivalent of 80,000+ t-shirts to bug finders

Yahoo mugYahoo used to really know how to treat the vulnerability researchers who found bugs in its services.

They used to send them a voucher for a free Yahoo t-shirt.

Sadly, those glory days are now over after bug hunters pointed out - quite reasonably - that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn't really the best way to reward someone who found a serious vulnerability in Yahoo Mail.

In a blog post this week, interim Yahoo CISO Ramses Martinez announced that the company's bug bounty program has now paid out over $1,000,000 USD.

Here are the main stats the company shared:

  • To date, we’ve paid out +$1M to security vulnerability reporters.
  • Submissions since the inception of the program have now reached the 10,000 mark.
  • Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
  • The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
  • More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
  • 50% of the submissions are from the top 6% set of contributors.
  • 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.

Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That's a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?

So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of.... uh oh.. hang on.. 1 million divided by 1500. That's umm.. 666.66666666 (recurring).

Maybe it's a good thing they said it was over a million dollars.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

4 Responses

  1. Anonymous

    July 29, 2015 at 10:03 pm #

    A step in the right direction.

  2. Coyote

    July 29, 2015 at 10:21 pm #

    "1 million divided by 1500. That's umm.. 666.66666666 (recurring).

    Maybe it's a good thing they said it was over a million dollars."

    If $666.66 worked for the Apple I, why not here ?

  3. Jim Goodyear

    July 30, 2015 at 12:27 pm #

    After the way that i see them run their search engine (badly) and the way that they have treated their Flickr customers (badly), i wouldn't wear their T Shirt if you paid me, and believe me, i love a free T Shirt !!

  4. Anonymous

    July 30, 2015 at 2:27 pm #

    If Yahoo gives a shirt or a 12.50 voucher for a security flaw, I'm not going to give *THEM* the info.

Leave a Reply