Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.
According to Ramses Martinez, senior director and interim CISO at Yahoo, the company has received 10,000 submissions from 1,800 researchers since the launch of the vulnerability rewards program. A total of 600 researchers reported valid security flaws, 1,500 of which have resulted in a bounty payout.
The monthly validity rate of vulnerability reports is currently 15 percent, which represents a 5 percent increase compared to the end of 2014. Martinez noted that 87 percent of reporters have submitted less than 10 bugs, and half of all submissions are from the top 6 percent of contributors.
A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid as reported.
Before October 2013, researchers who reported vulnerabilities to Yahoo were awarded a $12.50 voucher. After numerous complaints, Yahoo launched a proper bug bounty program vua HackerOne and promised contributors between $50 and $15,000 based on the severity of the bugs.
In October 2014, Yahoo reported paying out over $700,000 to researchers through its bug bounty program and now the total amount has increased to more than $1 million.