The overhaul followed 2 days after security researchers from “High Tech Bridge” shared they will only receive $12.5 as reward from Yahoo of their responsible disclosure.
Ramses Martinez, the Yahoo Paranoids director explained in a blog post, the giving of t-shirts are his personal thanks and was not a policy. There is no formal reward system of Yahoo to those individuals who find security holes on their platform.
Martinez revealed they have decided to preview their new vulnerability reporting policy a bit early.
Here are the five key points addressed in the new bug bounty program of Yahoo.:
1) Reporting – We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.
2) Issue Validation – Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.
3) Issue Remediation – Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24×7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.
4) Recognition – Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”
5) Reward – Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 – $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.