Security Experts:

Yahoo Awarded Researchers Over $1 Million in Bug Bounty Program

Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.

According to Ramses Martinez, senior director and interim CISO at Yahoo, the company has received 10,000 submissions from 1,800 researchers since the launch of the vulnerability rewards program. A total of 600 researchers reported valid security flaws, 1,500 of which have resulted in a bounty payout.

The monthly validity rate of vulnerability reports is currently 15 percent, which represents a 5 percent increase compared to the end of 2014. Martinez noted that 87 percent of reporters have submitted less than 10 bugs, and half of all submissions are from the top 6 percent of contributors.

“A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid,” Martinez said in a blog post.

“The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program,” he added.

Before October 2013, researchers who reported vulnerabilities to Yahoo were awarded a $12.50 voucher. After numerous complaints, Yahoo launched a proper bug bounty program via HackerOne and promised contributors between $50 and $15,000 based on the severity of the bugs.

In October 2014, Yahoo reported paying out over $700,000 to researchers through its bug bounty program and now the total amount has increased to more than $1 million.

In comparison, Facebook said in February that it had paid out a total of $3 million since the launch of its vulnerability rewards program four years ago. The social media giant awarded researchers $1.3 million in 2014 alone.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.