Security Watch

Keeping Track of patches and hacks in the IT security world.

Facebook and Yahoo Boost Bug Bounty Programs

One year ago, Yahoo was only giving security researchers T-shirts; now it's doing a lot more.

Download the authoritative guide:

bug bounties

Paying security researchers for properly disclosing security flaws is now considered by most leading technology vendors to be a good best practice. It wasn't always that way though.

Just a year ago, Yahoo was widely criticized for offering a security researcher just a T-shirt for providing a security report.

Yahoo recognized the error of its ways and, following the T-shirt incident, launched a proper bug bounty program. Over the course of the last year, the program has paid out $700,000 to more than 600 security researchers.

"In spite of this growth we haven't forgotten our roots," Ramses Martinez, senior director of Investigations, Intelligence, and Response at Yahoo, wrote in a Tumbler post. "This is why we still send the occasional t-shirt to researchers who successfully identify a tech vulnerability of significant value."

The Yahoo bug bounty program is now assisted by the Hacker One platform, which helps organizations handle responses to security research. The Yahoo program has a $50 minimum and $15,000 maximum bounty that it pays researchers for properly reported flaws.

Yahoo isn't the only vendor talking about the success of its bug bounty program this week. Facebook Security Engineer Collin Greene noted in a Facebook post this week that his company has paid out more than $3 million in awards to researchers for disclosing security vulnerabilities.

Facebook now wants researchers to focus specifically on finding bugs in its ads code and so will pay researchers a double bounty. Facebook has not publicly stated what the maximum amount is that it will pay as part of the double bounty.

"Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them," Greene wrote.

Increasing bug bounties to solicit more research is also something that Google is now doing. Google recently increased the rewards that it will pay researchers for security disclosures, up to a maximum of $15,000. Google said it has paid out $1.25 million in bug bounties since it started its bug bounty program in 2010.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.