Yahoo To Offer Bug Bounty Rewards Up To $15,000

aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."

In other news...

[Frosty+Piss]

...The once powerful Yahoo grasps at straws to attract developers back after fucking them over for a few years...

Re:In other news...

[msauve]

Well, they do have the name right - they're all yahoos. Seriously, is there anything Yahoo! does, which someone else doesn't do much better?

Re:In other news...

[hutsell]

...The once powerful Yahoo grasps at straws to attract developers back after fucking them over for a few years...

Perhaps even the non-developers — the Yahoo! Yodeler, Wylie Gustafson is one that comes to mind from over a decade ago.

Re:In other news...

[mechtech256]

Yahoo Finance is very good.

Re:In other news...

[GumphMaster]

Nope, didgeridoo players and even Kenny G beat them hands down on this: Circular breathing

Re: In other news...

Go home Ballmer. You are drunk. And fired.

Re:In other news...

[tripleevenfall]

Well, actually from 1787 they were 3/5ths of a human.

I don't think the word has any place in polite usage, but the is the internet.

But...

[Freshly+Exhumed]

Do you still get the T-shirt?

Re:Bugs?

You still use both IE and Yahoo? How quaint...

Definition of Scrooge

[snero3]

the web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff

I don't know how many tshirts they gave out, but I am lead to believe it wasn't many. If someone freely out of their own good will helps you out, at your job! and you can only manage pony up $12.50 that is just an insult, I personally would prefer just a email of thanks than that!! Hell a case of beer maybe!!

I beat these guys aren't first in line to order a round on Friday night

Re:Definition of Scrooge

[Lunix+Nutcase]

The Yahoo store sells six packs of beer?

Re:Definition of Scrooge

[jiriw]

I don't know...

Yes, someone did notify you of something you probably didn't realise yet. And it might have become a problem for the company later on... if the wrong people found out just that. That person did it freely and out of his/her own good but it doesn't necessarily makes your job easier (maybe even harder because now you have to solve this while there are already enough other problems on your plate). It won't reduce your workload... your employer has enough other things for you to do... it won't get you to that pub a minute earlier than your employer allows you to leave for the weekend (and that might be even later now). You won't tell that to the person who made that bug report 'tough. You're glad there are people actively want to involve themselves in the security of the product you're proud to work on even 'though they do it without prospect of financial gain.
As a small thank you, you send the person a gift certificate paid from your own money, effectively saying 'Here is an hour of my time in wage. Please spend it on something you like to' (give or take... My reference is my current hourly wage, after taxes, as an IT professional, which is a little more, but not much).

Of course there is nothing wrong with a proper reward program, financed by the actual company. If these bugs take at least some skills and resources to track, and are that valuable it would be rather cheap for a company not to have one. That having said, a pay check for services rendered from a company is totally different from an employee paying you a small token out of his/her own pocket while the direct value for that employee is, at least, questionable.

Re:Definition of Scrooge

[pla]

Psychologically it's a different thing. Giving someone a small sum of raw cash instead of a gift worth about the same is generally considered crass.

Only because we expect the humans giving us gifts to know us well enough to make it a bit more personal. In contrast, I want Yahoo to know as little about me as possible. They can send me $12.50 in BTC to an anonymous address, for all I care about how they reward people.

Uncle Tony writing a $12.50 check: Crass. Yahoo writing a $12.50 check: Insultingly cheap, but otherwise okay.

Undestroy

[XB-70]

The Undestroy button is not working. The fix is to re-establish the chat rooms, clear the clutter from Yahoo! Messenger, make mail actually function at a reasonable speed and eliminate the mindless Hollywood crap from the main page. I'd like my $$$ now, please.

Re:Good luck getting paid

[muphin]

that's counter productive, hiring a full time developer to scour the site for bugs would costs hundreds of thousands, and here we have people with the skill after a small amount. Also if the people doing the pen-testing get fucked over they just release the exploit and move onto a site that appreciates their time

Talk about your risk

[djupedal]

Not taking anything that comes out of an IT staffer's pocket, thanks just the same.

A modest bug bounty proposal

[TheloniousToady]

I've had a couple of friends whose Yahoo email contacts, including me, got sent spams which were crafted to appear as though the spam was from the friend. The spams contained links presumed to be armed and dangerous. I wonder if Yahoo has a bug bounty for that one? Heck, I'd chip in ten bucks myself if somebody would fix that.

Found one

[PPH]

Its big, about the diameter of a silver dollar. Six legs, shiny black body, big pincers and semi transparent wings. Its sitting on cowboyneal's head.

What about labor laws?

[Joe_Dragon]

Some one may just say they did work and did not get paid and there is a full list of other stuff to come out let's say some works there and tells a friend about bugs they know about so that friend can get paid to tell them about it? OR even that is the way to get past the PHB.

Damage Control

[SeaFox]

Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities

In other words, Yahoo realized since word got around how lame their rewards were for reporting security vulnerabilities people were more likely to start looking to see how much more they could get selling them to the bad guys instead.

C'mon Now...

[flyneye]

Hey, $15,000 will keep you in t-shirts and coffee mugs for life!

"Up to" - marketing magic

[wonkey_monkey]

I don't know what everyone's complaining about. $12.50 comes under "Up To $15,000," and I'll give up to $1,000,000 to anyone can prove me wrong!

Re:"Up to" - marketing magic

[La+Gris]

There is no wrong in your statement about $12.50 comes under "Up To $15,000,";
So there is no circunstance where you would give me up to $1,000,000 in correllation to proving you wrong on the above.
This is where I could prove you wrong.
But giving me up to $1.000.000 for proving you wrong would prove you right.

Finally, the only possible income of all this. is:
- You have to give me more than $1.000.000 for, proving you are wrong on advertising a reward to an impossible circunstance.
- And the reward has to be more than your "up-to" to save your wrongness or it would cancel itself.

Commend the Out of Pocket Expense

[Kookus]

That also just lowers the credibility of Yahoo. They have to have their own employees pay for things in order to operate... Sounds like a startup.

So we can expect...

[pla]

So if Yahoo's recent history means anything, we can expect that the first bug bounty will pay 2 million dollars, which Marissa will claim for finding a font the wrong color, then she will immediately order the program ended for nebulous "abuses"?

Of course, that would still sound better than giving out an insulting coupon for company swag. ;)

Re:Bugs?

[Lunix+Nutcase]

What about the comet cursors?

All I got...

[bil_hendrix]

What's on the t-shirt? Suggestion: "I submitted a bug report to Yahoo and all I got was this lousy t-shirt"

This is actually worse.

[intermodal]

Before, it was Yahoo being cheap. Now it's Yahoo also screwing their own staff.

I swear I thought I saw...

[unitron]

..."Yahoo To Offer Bugs Bunny Rewards Up To $15,000"

Darn floaters.