Top Menu

Yahoo’s Cheap Bug Bounty Might Blow up in Its Face

There are many things in business where you can be cheap and you could be well rewarded by investors and customers. There are other parts of typical business enterprise where you cannot be cheap. You just can’t afford to be stingy or else, you might reap the bitter harvest of your cheapness. Take the case of Yahoo: it appears it has taken a page from a playbook of Google and Facebook and has offered a bounty or reward for people that can find security vulnerabilities or bugs in Yahoo’s online properties. This is a good move because Yahoo is a closed system. It is not an open source platform.

As a result, people can only find bugs when they use Yahoo’s products online. People have to report these bugs and then Yahoo would fix them. By throwing money at people who find problems, companies can incentivize professional bug hunters to thoroughly analyze the products and systems that Yahoo has online. Well, the problem is incentivized bug hunting model will only work if the incentive is strong enough. Yahoo’s incentive is very cheap- it’s only $12.50 per bug. This is very very low compared to Google or Facebook’s bounties.

Google and Facebook charge around a hundred up to five hundred bucks for low priority bugs. This sends a wrong message to professional bug hunters that Yahoo is probably not worth your effort to completely analyze and pick apart. If that isn’t depressing enough fro would-be bug hunters, Yahoo also plays limitations on the bounty. This bounty isn’t cash and it only can be used to pay for Yahoo branded swag. Talk about underwhelming; talk about disappointing.