Yahoo massively upset the security community last October when it forked out a measly $12.50 (in company vouchers, no less) as a reward for a researcher who identified a major vulnerability within its email service. There’s an expectation that unearthing a significant weakness in a product is followed by a decent level of compensation, but Yahoo bungled that call — a move that subsequently saw it set up a Bug Bounty Program.
One year after its creation, Yahoo says that it has paid out over $700,000 in cash rewards as part of the initiative. The U.S. firm revealed that, all in all, it has seen contributions from over 600 security researchers.
Yahoo’s position is doubtless far stronger than a year ago, when it became a laughing stock for its paltry compensation offer to the researcher who fixed a major email issue.
“We haven’t forgotten our roots,” Yahoo says. “This is why we still send the occasional t-shirt to researchers who successfully identify a tech vulnerability of significant value.” While the researcher who identified the Yahoo email issue in October 2013 could have bought a company T-shirt with his $12.50, the program now offers more significant compensation — the minimum payout is $50 and maximum is $15,000.
We’re reminded of the importance of website security on a nearly daily basis. Whether it is credit card company hacks, reports of email address credentials leaked in the millions, and more, it’s clear that companies can never do enough to be secure. That focus has made bug bounty programs an important part of defensive strategies.
Google last year revealed it had paid out $2 million to researchers (a number that has almost certainly increased over time), although that figure is based on a three-year period. Microsoft launched its program in the summer of 2013 — it added Office 365 to the mix last month — and the likes of Twitter, and even young startups like anonymous messaging app Secret, have followed suit with their own initiatives.
That said, there really is no guarantee that all issues will be nipped in the bud. Dropbox runs a bug bounty program alongside its own security efforts, yet some of its users had their accounts and passwords exposed this week. The company says its server was not hacked, but it appears that the issue may have been down to third-party websites or simply a case of some people using the same login and password details across multiple services.
Feature image via Linda Tanner / Flickr