Facebook and Yahoo Boost Bug Bounty Programs
Security Watch
SHARE
Facebook X Pinterest WhatsApp

Facebook and Yahoo Boost Bug Bounty Programs

bug bounties
Written By
Sean Michael Kerner
Sean Michael Kerner
Oct 16, 2014
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Paying security researchers for properly disclosing security flaws is now considered by most leading technology vendors to be a good best practice. It wasn’t always that way though.

Just a year ago, Yahoo was widely criticized for offering a security researcher just a T-shirt for providing a security report.

Yahoo recognized the error of its ways and, following the T-shirt incident, launched a proper bug bounty program. Over the course of the last year, the program has paid out $700,000 to more than 600 security researchers.

“In spite of this growth we haven’t forgotten our roots,” Ramses Martinez, senior director of Investigations, Intelligence, and Response at Yahoo, wrote in a Tumbler post. “This is why we still send the occasional t-shirt to researchers who successfully identify a tech vulnerability of significant value.”

The Yahoo bug bounty program is now assisted by the Hacker One platform, which helps organizations handle responses to security research. The Yahoo program has a $50 minimum and $15,000 maximum bounty that it pays researchers for properly reported flaws.

Yahoo isn’t the only vendor talking about the success of its bug bounty program this week. Facebook Security Engineer Collin Greene noted in a Facebook post this week that his company has paid out more than $3 million in awards to researchers for disclosing security vulnerabilities.

Facebook now wants researchers to focus specifically on finding bugs in its ads code and so will pay researchers a double bounty. Facebook has not publicly stated what the maximum amount is that it will pay as part of the double bounty.

“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Greene wrote.

Increasing bug bounties to solicit more research is also something that Google is now doing. Google recently increased the rewards that it will pay researchers for security disclosures, up to a maximum of $15,000. Google said it has paid out $1.25 million in bug bounties since it started its bug bounty program in 2010.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Sean Michael Kerner
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information