For a while there I thought there had been so much bad news for Yahoo recently, that it ran the risk of wrestling the security dumbo award from its normal home in the tight grip of the Oracle Java team.
Leaving aside the absurd debacle of its recycled email address scheme, and its CEO not thinking that having a passcode on her smartphone might be a good idea, they found themselves in the firing line for their “Find a bug in Yahoo Mail and we’ll give you $12.50 to buy one of our lousy t-shirts” slap-in-the-face for vulnerability researchers.
However, Yahoo appears to be trying to mend some of the damage.
In a self-effacing blog post entitled “So I’m the guy who sent the t-shirt out as a thank you”, Ramses Martinez, a director for Yahoo Paranoids (one assumes that’s the cutesy name for Yahoo’s security department) described the new bounty programme.
Out go the t-shirt vouchers which can only be spent in the Yahoo Corporate Store. In come generous-sized bounties for researchers who responsibly disclose vulnerabilities to Yahoo’s security team.
Here are some details of the process and improvements Martinez says his team at Yahoo will be putting in place by the end of the month:
1) Reporting - We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.
2) Issue Validation - Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.
3) Issue Remediation - Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24x7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.
4) Recognition - Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”
5) Reward - Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.
I asked High-Tech Bridge, who highlighted Yahoo’s curious response to vulnerability researchers in the first place, for their thoughts on this change.
Ilia Kolochenko, the CEO of High-Tech Bridge said:
We were not doing our research for money, as we clearly said to Yahoo. However, we are glad that Yahoo is introducing new Bug Bounty Program that will facilitate their relations with security researchers and help them improving their corporate security.
The only unclear point I have right now is comment from their CSO who says that he paid researchers from his own pockets. Such action definitely deserves respect, but does he get his salary by Yahoo vouchers as well?
To be fair, Yahoo has handled its PR crisis well and with good humour. Their openness and willingless to make amends to the people who had received a risible store voucher was definitely the right approach.
So, just two more things to sort out.
Yahoo’s head of security needs to have a quiet word in Marissa Mayer’s ear about the importance of locking her iPhone.
And they *really* need to be as open and honest about their moronic recycling email idea - which is conceived to convenience their current and future users, rather than protect the privacy and security of their legacy customers.
So, how about it Yahoo?
Or are you that keen to knock Oracle off its perch?