Following the aftermath of a security firm revealing its reward -- $12.50 t-shirts -- for finding severe vulnerabilities in Yahoo services, the tech giant has begun a review of its Bug Bounty policies.
In September, researchers from High-Tech Bridge found a number of XSS vulnerabilities. The security team notified Yahoo of four XSS issues, which affected the marketingsolutions.yahoo.com domain, ecom.yahoo.com and adserver.yahoo.com domains.
Each security flaw allowed any @yahoo.com email account to be compromised by sending a specially crafted link to a logged-in Yahoo user and making them click on it, according to High-Tech Bridge.
Two of the vulnerabilities were accepted as new, and the cross-site scripting vulnerabilities were worth a $12.50 reward each -- given as a discount code that can only be used in the Yahoo Company Store.
It is worth noting that tech firms do not rely on volunteer reports solely in order to protect their systems -- and so the reward does not mean that a company doesn't take security seriously -- but most firms now offer reasonable rewards for security researchers who notify the firm of a vulnerability, rather than sell it on for more substantial profit.
In a world where cybersecurity is a hot topic and cyberattacks are commonplace, having a good relationship with outside sources that are willing to tell you about a security flaw -- before a hacker uses it and potentially costs the company far more than a few thousand dollars or so reward -- is simply good practice.
As a result, following the t-shirt debacle, Ramses Martinez, Director of the security team Yahoo Paranoids, explained in a blog post what happened.
Martinez begins by labelling himself as the "guy who sent the t-shirt out as a thank you." Martinez says that after taking over the security team he realized there was no "formal process" to recognize and reward researchers who sent issues to the tech giant.
While the security flaws were pounced upon and fixes issued, the security team "didn't have anything formal for thanking people" -- and so the director began sending out the t-shirts as a thank-you. Martinez writes:
"I started sending a t-shirt as a personal "thanks." It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate."
In addition, the director would send out letters as proof of the vulnerability's discovery.
However, after High-Tech Bridge's blog post went live, this is when Martinez says "t-shirt-gate" hit -- and his inbox was full of angry people inside and out of Yahoo, enraged at the idea of gifting a mere t-shirt in return for research.
As a result, Yahoo's security team are now previewing their new vulnerability reporting policy earlier than planned. In the new brief, key areas are addressed:
Martinez writes:
"We're excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously."
The new policy will be released by the end of October 2013. In the meantime, to appease disgruntled t-shirt holders, the firm will implement the new policy retroactively back to July 1, 2013 -- including a cheque in the post for the team at High-Tech Bridge.