Yahoo To Offer Bug Bounty Rewards Up To $15,000

← Back to Stories (view on slashdot.org)

Yahoo To Offer Bug Bounty Rewards Up To $15,000

Posted by samzenpus on Thursday October 3, 2013 @02:01PM from the pay-me dept.

aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."

7 of 65 comments (clear)

Min score:

Reason:

Sort:

In other news... by Frosty+Piss · 2013-10-03 14:01 · Score: 5, Insightful

...The once powerful Yahoo grasps at straws to attract developers back after fucking them over for a few years...

--
If you want news from today, you have to come back tomorrow.
Definition of Scrooge by snero3 · 2013-10-03 14:21 · Score: 2

the web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff
I don't know how many tshirts they gave out, but I am lead to believe it wasn't many. If someone freely out of their own good will helps you out, at your job! and you can only manage pony up $12.50 that is just an insult, I personally would prefer just a email of thanks than that!! Hell a case of beer maybe!!
I beat these guys aren't first in line to order a round on Friday night

--
It said "windows 98 or better" so I installed Linux
1. Re:Definition of Scrooge by jiriw · 2013-10-03 23:12 · Score: 2
  
  I don't know...
  Yes, someone did notify you of something you probably didn't realise yet. And it might have become a problem for the company later on... if the wrong people found out just that. That person did it freely and out of his/her own good but it doesn't necessarily makes your job easier (maybe even harder because now you have to solve this while there are already enough other problems on your plate). It won't reduce your workload... your employer has enough other things for you to do... it won't get you to that pub a minute earlier than your employer allows you to leave for the weekend (and that might be even later now). You won't tell that to the person who made that bug report 'tough. You're glad there are people actively want to involve themselves in the security of the product you're proud to work on even 'though they do it without prospect of financial gain.
  As a small thank you, you send the person a gift certificate paid from your own money, effectively saying 'Here is an hour of my time in wage. Please spend it on something you like to' (give or take... My reference is my current hourly wage, after taxes, as an IT professional, which is a little more, but not much).
  Of course there is nothing wrong with a proper reward program, financed by the actual company. If these bugs take at least some skills and resources to track, and are that valuable it would be rather cheap for a company not to have one. That having said, a pay check for services rendered from a company is totally different from an employee paying you a small token out of his/her own pocket while the direct value for that employee is, at least, questionable.
Undestroy by XB-70 · 2013-10-03 14:30 · Score: 2

The Undestroy button is not working. The fix is to re-establish the chat rooms, clear the clutter from Yahoo! Messenger, make mail actually function at a reasonable speed and eliminate the mindless Hollywood crap from the main page. I'd like my $$$ now, please.

--
*** Don't be dull.***
Re:Good luck getting paid by muphin · 2013-10-03 15:04 · Score: 3, Interesting

that's counter productive, hiring a full time developer to scour the site for bugs would costs hundreds of thousands, and here we have people with the skill after a small amount. Also if the people doing the pen-testing get fucked over they just release the exploit and move onto a site that appreciates their time

--
It's not a typo if you understood the meaning!
A modest bug bounty proposal by TheloniousToady · 2013-10-03 15:46 · Score: 2

I've had a couple of friends whose Yahoo email contacts, including me, got sent spams which were crafted to appear as though the spam was from the friend. The spams contained links presumed to be armed and dangerous. I wonder if Yahoo has a bug bounty for that one? Heck, I'd chip in ten bucks myself if somebody would fix that.
Damage Control by SeaFox · 2013-10-03 19:25 · Score: 2

Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities
In other words, Yahoo realized since word got around how lame their rewards were for reporting security vulnerabilities people were more likely to start looking to see how much more they could get selling them to the bad guys instead.