By Ramses Martinez, Director, Yahoo Paranoids
So, I am the guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been :)
Here’s the story. When I first took over the team that works with the security community on issues and vulnerabilities, we didn’t have a formal process to recognize and reward people who sent issues to us. We were very fast to remedy issues but didn’t have anything formal for thanking people that sent them in.
I started sending a t-shirt as a personal “thanks.” It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.
Most companies offer just a thanks, maybe some schwag, for identifying a potential vulnerability. There are those that offer money. If you’re interested, Bugcrowd.com has a list of what many companies do for bug and vulnerability reports.
Of course, when you work for a company that serves more than 800 million people every month, you take network and user security very seriously. We have a large, dedicated team that looks for security vulnerabilities, as well as taking input from the community. When someone reports an issue or vulnerability to us, we react in a few hours, often minutes. We monitor all external reports 24 hours a day, 7 days a week.
We recently decided to improve the process of vulnerability reporting. My “send a t-shirt” idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning “t-shirt-gate” hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?
So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early. Our updated vulnerability reporting policies address five areas:
1) Reporting - We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.
2) Issue Validation - Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.
3) Issue Remediation - Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24x7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.
4) Recognition - Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”
5) Reward - Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.
We’re excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously.
The small print on the revised policy isn’t quite final. We will release the new policy by October 31, 2013. In the meantime, the benefits of the policy will be implemented retroactively back to July 1, 2013. If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program. This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt.