Yahoo’s days of rewarding security researchers with T-shirts may soon be over.
The company says it’s working on a more formal bounty program, which it hopes will attract researchers by offering rewards as high as $15,000 per bug.
The news comes via a post from Yahoo Paranoids director Ramses Martinez, who says that his company was only days away from announcing the program when Monday’s High-Tech Bridge story hit.
While Martinez notes that most companies offer bug reporters corporate swag in place of money, he also acknowledges that Yahoo isn’t like most companies. With 800 million monthly users, Yahoo has a lot of people counting on it.
Martinez says that the new program will offer an improved reporting process, quicker submission validation, and more rapid recognition for the researchers who report bugs. And then there’s the reward money, which starts at $150 and goes up from there.
“The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue,” Ramses writes.
For comparison, bounties for Facebook bugs start at $500 and have no maximum; some of Microsoft’s bounties go as high as $100,000; and Google maxes out rewards at $20,000. This puts Yahoo a bit on the low-end in terms of payouts.
The program will formally start on October 31, and should placate people like High-Tech Bridge CEO Ilia Kolochenko, who wrote on Monday that Yahoo needs to take security more seriously.
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe,” he wrote.