Offering cash rewards for vulnerability reports has become something of a norm when it comes to big tech companies these days.
Yahoo has changed its bug bounty policies following a deluge of negative feedback in the wake of the news that ethical hackers were rewarded with $12.50 in gift vouchers for security flaw discoveries.
The company unveiled a new program to reward reporters who shed light on bugs and vulnerabilities classified as new, unique and/or high risk issues. Starting October 31, 2013, individuals and firms who report bugs will be rewarded with anything between $150-$15,000.
"The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue," Director of security, Ramses Martinez, announced.
Yahoo denied that its new program was a response to the criticism, saying it was already working on a new bug bounty system before the furore.
Martinez begins by labelling himself as the "So I’m the guy who sent the T-shirt out as a thank you." Martinez says that before there was no formal process to recognize and reward Bug Hunters.
He said that the security team "didn't have anything formal for thanking people", so he began sending out the T-shirts as a thank-you.
Martinez writes: "I started sending a T-shirt as a personal "thanks." It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a T-shirt from me, so I started buying a gift certificate."
"The fact that Yahoo is changing their programme is a good sign because it will definitely help them to facilitate relationships with security researchers," he said.
Another important announcement is that anyone who has already submitted a bug report or security issue is that the reward program will be backdated to July 1, 2013, so there could be checks dropping through mailboxes in the near future.