Yahoo changes bug bounty policy following 't-shirt gate'

Following the aftermath of a security firm revealing its reward -- $12.50 t-shirts -- for finding severe vulnerabilities in Yahoo services, the tech giant has begun a review of its Bug Bounty policies.

In September, researchers from High-Tech Bridge found a number of XSS vulnerabilities. The security team notified Yahoo of four XSS issues, which affected the marketingsolutions.yahoo.com domain, ecom.yahoo.com and adserver.yahoo.com domains.

Each security flaw allowed any @yahoo.com email account to be compromised by sending a specially crafted link to a logged-in Yahoo user and making them click on it, according to High-Tech Bridge.

Two of the vulnerabilities were accepted as new, and the cross-site scripting vulnerabilities were worth a $12.50 reward each -- given as a discount code that can only be used in the Yahoo Company Store.

It is worth noting that tech firms do not rely on volunteer reports solely in order to protect their systems -- and so the reward does not mean that a company doesn't take security seriously -- but most firms now offer reasonable rewards for security researchers who notify the firm of a vulnerability, rather than sell it on for more substantial profit.

In a world where cybersecurity is a hot topic and cyberattacks are commonplace, having a good relationship with outside sources that are willing to tell you about a security flaw -- before a hacker uses it and potentially costs the company far more than a few thousand dollars or so reward -- is simply good practice.

As a result, following the t-shirt debacle, Ramses Martinez, Director of the security team Yahoo Paranoids, explained in a blog post what happened.

Martinez begins by labelling himself as the "guy who sent the t-shirt out as a thank you." Martinez says that after taking over the security team he realized there was no "formal process" to recognize and reward researchers who sent issues to the tech giant.

While the security flaws were pounced upon and fixes issued, the security team "didn't have anything formal for thanking people" -- and so the director began sending out the t-shirts as a thank-you. Martinez writes:

"I started sending a t-shirt as a personal "thanks." It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate."

In addition, the director would send out letters as proof of the vulnerability's discovery.

However, after High-Tech Bridge's blog post went live, this is when Martinez says "t-shirt-gate" hit -- and his inbox was full of angry people inside and out of Yahoo, enraged at the idea of gifting a mere t-shirt in return for research.

As a result, Yahoo's security team are now previewing their new vulnerability reporting policy earlier than planned. In the new brief, key areas are addressed:

• Reporting: Yahoo is developing a new site to make the reporting process easier and clearer.
• Issue Validation: Yahoo's security team currently reviews all submissions from the community within hours, every day of the year, but the new policy will hopefully improve the firm's "overall speed and quality." The same goes for issue remediation.
• Recognition: Submitted issues are validated by Yahoo's team. Upon validation, researchers are contacted in no more than fourteen days after submission, and formal recognition of help will now be given either in an email or written letter. For the best discoveries, Yahoo plans to create a "Hall of Fame" on its web site.
• Reward: Perhaps the most important part -- the t-shirts are history, and will be replaced with rewards between $150 - $15,000 for vulnerabilities classified as "new, unique and/or high risk."

Martinez writes:

"We're excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously."

The new policy will be released by the end of October 2013. In the meantime, to appease disgruntled t-shirt holders, the firm will implement the new policy retroactively back to July 1, 2013 -- including a cheque in the post for the team at High-Tech Bridge.