Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Yahoo Awarded Researchers Over $1 Million in Bug Bounty Program

Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.

Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.

According to Ramses Martinez, senior director and interim CISO at Yahoo, the company has received 10,000 submissions from 1,800 researchers since the launch of the vulnerability rewards program. A total of 600 researchers reported valid security flaws, 1,500 of which have resulted in a bounty payout.

The monthly validity rate of vulnerability reports is currently 15 percent, which represents a 5 percent increase compared to the end of 2014. Martinez noted that 87 percent of reporters have submitted less than 10 bugs, and half of all submissions are from the top 6 percent of contributors.

“A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid,” Martinez said in a blog post.

“The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program,” he added.

Before October 2013, researchers who reported vulnerabilities to Yahoo were awarded a $12.50 voucher. After numerous complaints, Yahoo launched a proper bug bounty program via HackerOne and promised contributors between $50 and $15,000 based on the severity of the bugs.

In October 2014, Yahoo reported paying out over $700,000 to researchers through its bug bounty program and now the total amount has increased to more than $1 million.

In comparison, Facebook said in February that it had paid out a total of $3 million since the launch of its vulnerability rewards program four years ago. The social media giant awarded researchers $1.3 million in 2014 alone.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.