One of the challenges of trying to keep up with the news cycle is that nothing in this world is static. Too often, because we get inundated with “hot stories,” the natural tendency is to focus on what is breaking and not on follow-ups. It must be noted that every story is not necessarily worth an update, and actually most are not. However, the Yahoo response to the news that it was being less than generous paying bounties to third-parties that found bugs in Yahoo capabilities, is one that deserves an update.
Yahoo says we are sorry and will do better
So here is the update. One Ramses Martinez, who holds the interesting title of Director, Yahoo Paranoids, posted on the Yahoo Developers Network tumblr.com an interesting mea culpa entitled, “So I’m the guy who sent the t-shirt out as a thank you.” By all means, read the entire posting since it does provide some context to how all of this went down. It appears that what at first seemed to be an innocent gesture of gratitude, sending out t-shirts for finding bugs, got out of hand when exposed and amplified, and Yahoo is working hard to restore its reputation when it comes to matters of security including appreciation of third-party assistance.
Image via Shutterstock
Putting aside Marinez’s personal apology, what you need to know is that the company has updated its vulnerability reporting policies, and decided to reveal them a bit sooner than they wanted to, given the firestorm that broke out in the blogosphere over the initial revelations.
Hence, if you want to be a bounty hunter for Yahoo, here is what you need to know:
Our updated vulnerability reporting policies address five areas:
1) Reporting - We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process.
2) Issue Validation - Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality.
3) Issue Remediation - Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24x7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well.
4) Recognition - Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.”
5) Reward - Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.
Let’s face it: the security community is most interested in No. 4 and No. 5, i.e., recognition and rewards.
Call me a bit skeptical, but this is going to be a case of actions speaking louder than words, and “Show me the MONEY!”
I am not a fan of statements like, “We’re excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously.” The use of “we’re excited” is a red flag of sorts.
What were they before this came to light, given the admission that they did not provide third parties either recognition or anything resembling even perceived value for their efforts helping Yahoo when it could not help itself? I guess they were just mildly enthused?
There will be additional follow-ups to this as circumstances warrant.
Edited by Alisen Downey