Paying security researchers for properly disclosing security flaws is now considered by most leading technology vendors to be a good best practice. It wasn’t always that way though.
Just a year ago, Yahoo was widely criticized for offering a security researcher just a T-shirt for providing a security report.
Yahoo recognized the error of its ways and, following the T-shirt incident, launched a proper bug bounty program. Over the course of the last year, the program has paid out $700,000 to more than 600 security researchers.
“In spite of this growth we haven’t forgotten our roots,” Ramses Martinez, senior director of Investigations, Intelligence, and Response at Yahoo, wrote in a Tumbler post. “This is why we still send the occasional t-shirt to researchers who successfully identify a tech vulnerability of significant value.”
The Yahoo bug bounty program is now assisted by the Hacker One platform, which helps organizations handle responses to security research. The Yahoo program has a $50 minimum and $15,000 maximum bounty that it pays researchers for properly reported flaws.
Yahoo isn’t the only vendor talking about the success of its bug bounty program this week. Facebook Security Engineer Collin Greene noted in a Facebook post this week that his company has paid out more than $3 million in awards to researchers for disclosing security vulnerabilities.
Facebook now wants researchers to focus specifically on finding bugs in its ads code and so will pay researchers a double bounty. Facebook has not publicly stated what the maximum amount is that it will pay as part of the double bounty.
“Since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,” Greene wrote.
Increasing bug bounties to solicit more research is also something that Google is now doing. Google recently increased the rewards that it will pay researchers for security disclosures, up to a maximum of $15,000. Google said it has paid out $1.25 million in bug bounties since it started its bug bounty program in 2010.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.