Earlier this week, Yahoo was accused of using change in its sofa cushions as compensation for reports of security exploits, but now the whole ordeal has generated enough buzz to bring about change for the internet pioneer. As it turns out, these small prizes (along with rewards such as t-shirts) were paid for out of pocket by Ramses Martinez, the director of Yahoo's security team, who took a moment today to explain the company's new -- and far more lucrative -- bounty program. Moving forward, Yahoo will reward security researchers with payments that range between $150 and $15,000 for issues that it deems "new, unique and / or high-risk."
The company is still in the early stages of hammering out a new policy, but promises that payments will be determined "by a clear system based on a set of defined elements that capture the severity of the issue." Yes, these amounts still pale in comparison to the massive sums that Microsoft recently offered, but researchers now have reasonable incentive to inform Yahoo of the exploits, rather than sell them on the black market. According to Martinez, Yahoo's revised policy will be available by the end of the month, and as a nice gesture, its new reward structure will retroactively apply to all bugs submitted from July 1st onward.