Ilia Kolochenko had discovered a number of XSS flaws in different Yahoo domains, and reported them to the company. The important part – fixing the flaws – was handled quickly and efficiently; but what raised eyebrows was the 'reward' offered to Kolochenko: effectively a Yahoo tee-shirt. The concern here is that it simply would not persuade independent researchers to do the right thing and report vulnerabilities to the company when they could be sold for hundreds if not thousands of dollars to the criminal underground.
It seemed to Infosecurity that Yahoo simply didn't have a bug bounty program, and that this was a goodwill gesture from an employee. Infosecurity asked Yahoo for a comment – which has this morning been received: "We’ve just updated our developer blog on our security and bug bounty programme which should answer some of your questions - We will release the new policy by October 31, 2013. In the meantime, the benefits of the policy will be implemented retroactively back to July 1, 2013."
That new policy is described by Ramses Martinez, director, Yahoo Paranoids: "So, I am the [goodwill] guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been :)"
He explains that Yahoo had been in the process of developing a reward program, and that in the meantime "I started sending a t-shirt as a personal “thanks.” It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money... And then yesterday morning 't-shirt-gate' hit."
The upshot is that Yahoo has now rushed forward its plans. "So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early."
There are five main areas to the new policy: improved reporting, improved validation, improved remediation, the implementation of a 'hall of fame' – and a reward scheme. "Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000," writes Martinez.
The small print on the new policy hasn't been finalised, and the scheme will be formally launched on October 31, 2013. But the benefits of the scheme will be backdated to 1 July 2013. "This includes," says Martinez, "a check for the researchers at High-Tech Bridge [Kolochenko] who didn’t like my t-shirt."