The Bug Bounty Program is Now Live

by Ramses Martinez, Director, Yahoo Paranoids

What an amazing experience the last twenty-nine days have been. The response from the security community to our announcement of a formal Yahoo bug bounty program has been extremely positive.  Thank you! All the meetings, emails, new contacts, and tons of discussions have all led to this…we are ready to launch our Bug Bounty Program.

Earlier this month, in our initial Tumblr post, we promised to that our program will would address the following areas:

1) Reporting – You can now submit your vulnerability reports here:  This allows you to easily capture the information needed so we can quickly validate every issue.

2) Validation – Submissions will continue to be validated 24x7 by our security team. We will also continue to manually respond to each submitter; our goal is to engage the security community in a personal and open manner.  

3) Remediation  - We pride ourselves in fixing submitted issues as quickly as possible. We hope that the new, more automated submission process will reduce remediation time even further.

4) Recognition – All validated issues will have the option of having your name appear on our ‘Wall of Fame.’ This page will have both our top-ten all time reporters as well as every valid report on a per-month basis.  Let us know how you want to be recognized.

5) Reward – You can still get a t-shirt, but you will now also be paid for qualifying submissions.  These amounts can vary from $250 - $15,000 depending on the severity and complexity of the issue.

It is our hope that the official launch of this program will usher in a new, less-shirt-centric era for security at Yahoo. We look forward to open and productive collaboration with the community and doing our part to make the Internet more secure.

Lastly, I want to thank the following people who made the launch of this program a reality: our friends at Google, Facebook, Hackerone, and Bugcrowd, for taking my calls and providing some very sage advice.