Yahoo announced on Monday that since its inception three years ago, between the launch of its bug bounty program in 2013 and December 2016 it had paid out a total of more than $2 million.
The program has worked with more than 2,000 contributors from more than 80 countries, and its HackerOne page lists a total of 3,552 resolved bug reports.
Yahoo said:
“Yes, this all comes with a degree of vulnerability. After all, we’re asking some of the world’s best hackers to seek out soft spots in our defences. But it’s acceptable risk. The right incentives combined with some hackers who actually want to do some good has resulted in a diverse and growing global community of contributors to our security.”
“In 2017, we’ll look to continue to foster this healthy marriage in security. Attracting the highest skilled hackers to our program with meaningful bounties will continue to result in impactful bug reporting.”
In comparison, Facebook has spent more than $5 million since the launch of its bug bounty program in 2011, while Google has paid out experts $9 million since 2010.
Yahoo didn’t share any information on its largest single payout while Google’s biggest single reward last year was $100,000 and the Facebook largest payout was $40,000 for a remote code execution (RCE) vulnerability.
Use of ethical hackers to find bugs can be very effective to limit potential risk and secure organizations.
