Yahoo pays out equivalent of 80,000+ t-shirts to bug finders

Yahoo mugYahoo used to really know how to treat the vulnerability researchers who found bugs in its services.

They used to send them a voucher for a free Yahoo t-shirt.

Sadly, those glory days are now over after bug hunters pointed out - quite reasonably - that perhaps offering a $12.50 voucher that could only be used at the Yahoo merchandise store wasn’t really the best way to reward someone who found a serious vulnerability in Yahoo Mail.

In a blog post this week, interim Yahoo CISO Ramses Martinez announced that the company’s bug bounty program has now paid out over $1,000,000 USD.

Here are the main stats the company shared:

  • To date, we’ve paid out +$1M to security vulnerability reporters.
  • Submissions since the inception of the program have now reached the 10,000 mark.
  • Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.
  • The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.
  • More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.
  • 50% of the submissions are from the top 6% set of contributors.
  • 87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

1500 bounty payouts. At the old rate of one lousy $12.50 t-shirt voucher, that would meant $18,750 worth of t-shirts from the store.

Clearly something has changed, and Yahoo is treating vulnerability researchers much more seriously. That’s a good thing. I wonder how many choosing to spend their hard-earned cash purchasing Yahoo’s corporate t-shirts, cups, pens and other accessories?

So, if Yahoo has actually paid out USD $1,000,000 then 1500 payouts would mean an average of.… uh oh.. hang on.. 1 million divided by 1500. That’s umm.. 666.66666666 (recurring).

Maybe it’s a good thing they said it was over a million dollars.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:

, ,

4 Responses

  1. Anonymous

    July 29, 2015 at 10:03 pm #

    A step in the right direction.

  2. Coyote

    July 29, 2015 at 10:21 pm #

    1 million divided by 1500. That’s umm.. 666.66666666 (recurring).

    Maybe it’s a good thing they said it was over a million dollars.”

    If $666.66 worked for the Apple I, why not here ?

  3. Jim Goodyear

    July 30, 2015 at 12:27 pm #

    After the way that i see them run their search engine (badly) and the way that they have treated their Flickr customers (badly), i wouldn’t wear their T Shirt if you paid me, and believe me, i love a free T Shirt !!

  4. Anonymous

    July 30, 2015 at 2:27 pm #

    If Yahoo gives a shirt or a 12.50 voucher for a security flaw, I’m not going to give *THEM* the info.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.