Security Experts:

Yahoo Paid Out $2 Million in Bug Bounty Program

Yahoo reported on Monday that between the launch of its bug bounty program in 2013 and December 2016 it had paid out a total of more than $2 million.

A comparison to the previous report shows that the Internet giant awarded bounty hunters roughly $400,000 in 2016.

Since the launch of its program three years ago, Yahoo has worked with more than 2,000 researchers from 80 countries, and its HackerOne page lists a total of 3,500 resolved vulnerability reports. The company said it rewarded nearly 200 researchers last year.

Yahoo bug bounty program contributions

“Yes, this all comes with a degree of vulnerability. After all, we’re asking some of the world’s best hackers to seek out soft spots in our defenses,” said Andrew Rios, security engineer at Yahoo. “But it’s acceptable risk. The right incentives combined with some hackers who actually want to do some good has resulted in a diverse and growing global community of contributors to our security.”

Yahoo did not want to share any information on its largest single payout, but pointed to a post that explains how the company evaluates each vulnerability report. The blog post published by the company on Monday references a recent Flickr account hijacking exploit that earned a researcher $7,000.

“Most bounties accounted for less impactful vulnerabilities, but some were more substantial,” Rios said.

In comparison, Facebook has paid out more than $5 million since the launch of its program in 2011, while Google has awarded experts $9 million since 2010.

Google’s biggest single reward last year was $100,000 (of a total of $3 million). Facebook is also known to award significant bounties – the largest payout to date was $40,000 for a remote code execution vulnerability introduced by the ImageMagick image processing suite.

Related: Rockstar Games Launches Public Bug Bounty Program

Related: DoD Launches "Hack the Air Force" Bug Bounty Program

Related: Netgear Launches Bug Bounty Program

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.