Community reaction played a role - Yahoo rewarded its reward program for found vulnerabilities
A couple of days ago, a story was posted on the Web from the High Tech Bridge blog, which described how Yahoo motivates security experts to report vulnerabilities. The point was that in response to reports on existing XSS on a number of yahoo.com subdomains, the specialists who found the problems received a reward in the form of coupons for the purchase of T-shirts and pens in the company's store for $ 12.50.
In response, Ramses Martinez, director of Yahoo Paranoids (the company’s name is the team of engineers responsible for information security), explained in his company why his company so modestly responds to quite valuable information and that from now on The assessment will be seriously revised towards increasing financial rewards.
As Martinez explains, at Yahoo, there was no formal action to bind the author in any way for the problem found. Realizing that a simple email reply with words like “Thank you, information taken into account” looks a bit ugly, the director of Paranoids began sending t-shirts to authors of vulnerabilities as a sign of his personal gratitude; Moreover, Martinez bought them for his money and when it turned out that some already had a few T-shirts, he made the logical decision to send people discount coupons so that people could choose a gift for themselves.
Another form of recognition was that Martinez himself wrote an email to authors who needed recognition of the fact of vulnerability by one of Yahoo's directors so that this letter could be shown either to his boss or clients as proof of the competence of the information security specialist.
')
As a result, Martinez admits that a couple of days ago his email was filled with angry letters (probably, it’s about the $ 12.50 story), the meaning of which was that a T-shirt is an unworthy price to pay for vulnerability. And thus, the reward program received a significant update from the company's management. From now on, the error reporting system will be changed, the team that should respond to them will work even more efficiently and, most importantly, the amount of cash payments to authors who have found vulnerabilities will change - now this amount will vary from $ 150 to $ 15,000 depending on the level of the reported problem .
The updated security policy comes into force on October 31 of this year.
[ Source ]
In response, Ramses Martinez, director of Yahoo Paranoids (the company’s name is the team of engineers responsible for information security), explained in his company why his company so modestly responds to quite valuable information and that from now on The assessment will be seriously revised towards increasing financial rewards.
As Martinez explains, at Yahoo, there was no formal action to bind the author in any way for the problem found. Realizing that a simple email reply with words like “Thank you, information taken into account” looks a bit ugly, the director of Paranoids began sending t-shirts to authors of vulnerabilities as a sign of his personal gratitude; Moreover, Martinez bought them for his money and when it turned out that some already had a few T-shirts, he made the logical decision to send people discount coupons so that people could choose a gift for themselves.
Another form of recognition was that Martinez himself wrote an email to authors who needed recognition of the fact of vulnerability by one of Yahoo's directors so that this letter could be shown either to his boss or clients as proof of the competence of the information security specialist.
')
As a result, Martinez admits that a couple of days ago his email was filled with angry letters (probably, it’s about the $ 12.50 story), the meaning of which was that a T-shirt is an unworthy price to pay for vulnerability. And thus, the reward program received a significant update from the company's management. From now on, the error reporting system will be changed, the team that should respond to them will work even more efficiently and, most importantly, the amount of cash payments to authors who have found vulnerabilities will change - now this amount will vary from $ 150 to $ 15,000 depending on the level of the reported problem .
The updated security policy comes into force on October 31 of this year.
[ Source ]
Source: https://habr.com/ru/post/196278/
All Articles