Yahoo touched off a firestorm on Tuesday when security firm High-Tech Bridge issued a grumpy press release detailing their compensation for turning in a pair of security vulnerabilities: a $25 gift certificate, good for products available in Yahoo’s company store.
Compared to five-figure bounties offered by tech giants like Facebook and Google, it seemed as though Yahoo was low-balling the security researchers, who said that they wouldn’t be actively pursuing flaws in Yahoo’s products because of the lack of compensation.
Now, Yahoo says it’s now going to be overhauling its bug reporting systems, including upping its bounties beyond a small gift certificate.
In a post to the Yahoo Developer Network blog entitled “So I’m the guy who sent the t-shirt out as a thank you,” Ramses Martinez, the head of Yahoo’s security team, said that sending out a t-shirt was his little way of thanking developers:
I started sending a t-shirt as a personal “thanks.” It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.
While that personal touch is nice, it only works for so long. Martinez said that he had already planned to offer greater rewards to researchers, and the PR firestorm that erupted from High-Tech Bridge’s disclosure just advanced the timeline.
Under the new system, researchers will be rewarded between $150 and $15,000 for qualifying vulnerabilities, and will also receive recognition sent to them by Yahoo, and potentially earn a place in the company’s soon-to-be created Hall of Fame.
The new policy will be released by Oct. 31, and will apply to all vulnerabilities turned in after July 1, which includes those submitted by High-Tech Bridge.
High-Tech Bridge CEO Ilia Kolochenko said in an email that the policy change hasn’t affected High-Tech Bridge’s decision-making, at least not yet:
This change is definitely a good sign. However, as we told Yahoo since the very beginning of our relations — we are not reporting vulnerabilities for money. Therefore this change will not have any influence on our further research: for the moment we are not especially interested to dig for vulnerabilities in their services, but in case we find some — they will be all reported to Yahoo as before. If Yahoo will decide to increase their award for the previously reported vulnerabilities — this amount will be used to support a non-profit information security association.
Previously on GeekWire: Researchers find critical vulnerabilities in Yahoo’s site, offered $12.50 per bug