Yahoo is looking for bugs and has paid a great deal to find out how to fix vulnerabilities in its applications. The company reports that to date, it’s paid out more than $1 million to those who have reported bugs. It has received at least 10,000 submissions, of which approximately 1,500 have resulted in a bounty payout.
In a blog post, Yahoo’s senior director and interim chief information security officer Ramses Martinez wrote that the company views 2015 as a “pivotal year” as it has shifted the direction away from a community-sourced method of finding vulnerabilities to bug-hunting being a “key component” of its application security program. This is certainly a good sign, especially after years of providing security researchers with T-shirts for discovering flaws in Yahoo’s system.
Yahoo’s formal bounty program gives researchers rewards as high as $15,000 per bug, with the starting amount at $150. The company says that more than 1,800 reporters have participated in the program, with 600 providing verifiable bugs. Half of all the submissions Yahoo received come from the top 6 percent of its contributors.
In terms of how much Yahoo has paid out, this is less than Google, which has given more than $4 million since its bug bounty program began in 2010. But then again, this is purely surface comparison, as the bounty programs for both companies aren’t the same and how much is paid to researchers varies according to different factors.