If all you got in return for reporting a security vulnerability to Yahoo was a lousy T-shirt, don’t fret. The company wants to fix its mistakes and is now paying up to $15,000 to anyone who reports bugs and vulnerabilities classified as new, unique and/or high risk issues–up substantially from the measly $12.50 promo code it offered before to be used on Yahoo’s company store.
“My send a t-shirt idea needed an upgrade” writes Ramses Martinez, director of the Yahoo Security Team, aka Yahoo Paranoids, on the Yahoo Developer Tumblr. “I started sending a t-shirt as a personal ‘thanks.’ It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf.”
Security researchers certainly didn’t think so. Geneva-based security firm High-Tech Bridge wrote a strongly worded post on its website after being sent the $12.50 code for reporting three cross-site scripting (XSS) vulnerabilities that could allow any @yahoo.com email account to be easily compromised. Yahoo is applying its new policy retroactively back to July 1, 2013, so until High-Tech gets that check in the mail, we hope they enjoy their Yahoo-branded T-shirts.