Digital media firm Yahoo has launched a public, crowdsourced bug bounty programme through ethical hacking specialist Intigriti, inviting ethical hackers to poke around its insides to seek and destroy bugs and vulnerabilities. The launch of the programme comes in the wake of a pilot hackathon held by Yahoo and Intigriti in the latter’s home town of Antwerp in Belgium.
Yahoo, which is technically the successor organisation to ‘90s internet pioneer Yahoo!, runs multiple services, these days including AOL, Built by Girls, tech websites Engadget and TechCrunch, and the remaining Yahoo! internet services.
Yahoo has had a hosted bug bounty programme for around 10 years, but this new partnership covering Europe will see it open up its platforms to the 75,000 ethical hackers who are currently registered on Intigriti’s platform, as well as any others who may wish to take part. A total of 70 different assets will be in scope under the programme, from web domains to search services and their underlying application programming interfaces (APIs).
Bounty payouts on the programme will be scaled depending on their potential impact, from approximately $100 to $500 for a low-severity issue, up to $10,000 for high-rated flaws, and up to $15,000 for the most critical bugs such as zero-days.
“Expanding our bug bounty programme with Intigriti gives us a bigger outreach to the global ethical hacker community. We want to cater to as many people as possible and provide the best service possible to our users,” saud Arjun Govindaraju, Yahoo technical principal security engineer.
Capture the Flag bonus
Additionally, Yahoo said it would “raise the stakes” even further by offering participating hackers cash rewards for topping the leaderboard in Capture the Flag (CTF) programmes, as long as they have recently contributed to the bug bounty programme itself. These rewards will go as high as $15,000.
The two firms claimed this to be the first time anybody in the world has brought bug bounties to this arena, and said that they hope to attract more top cyber security talent from the CTF community and foster more collaboration among ethical hackers.
“We hope that our programme will be attractive to CTF-loving researchers,” said Govindaraju. “By introducing innovative incentives, Yahoo is fortifying its security posture and cultivating the next generation of cyber security talent.
“We’re committed to tapping into the expertise of CTF champions who possess the skills we value in our bug bounty hackers,” added Govindaraju. Such skills include problem solving in pressurised conditions, innovative thinking, and in-depth technical knowledge.
Haqpl, an ethical hacker and vice-captain of Poland-based CTF team justthecatfish, commented: “These rewards will entice CTF players who otherwise would never consider participating in vulnerability disclosure to come out of the woodwork. This is a fantastic chance to bridge two areas of security that are closely aligned yet have their own unique challenges.”
Stijn Jans, CEO of Intigriti, said: “Yahoo’s decision to partner with Intigriti affirms our commitment to delivering exceptional crowdsourced security solutions to our clients. We are honoured to be chosen by Yahoo to host their new public bug bounty programme, and we look forward to working closely with them to expand their outreach.”