By Chris Nims, CISO and Paranoid in Chief
A little more than three months ago, we brought 40 of the world's best white hat hackers to an undisclosed location in San Francisco to hack our portfolio of brands and online services., including Tumblr, Yahoo, Verizon Digital Media Services and AOL. Opening up unparalleled scope for an event of this kind, it was a moment to relaunch a unified bug bounty program and to bring in some heavy hitters to see what kind of gains we could make. The result: 12 hours of hacking netted $400,000 in payouts for verified bugs, a huge win for the safety and security of our users, as well as our platforms.
Since then, our program has seen a steady hum of submissions from security researchers around the world and, as of June, we surpassed $1,000,000 in payouts for verified bugs. This scale represents a significant decrease in risk and a considerable reduction of our attack surface. Every bug found and closed is a bug that cannot be exploited by our adversaries.
Bug submissions weren't all we received from our security community. We also heard a ton of feedback that we've accounted for in five changes to our program policy. We believe in building a program our security researchers engage with on a regular basis. This, in our view, is a better metric of success for the health and longevity of our program and subsequently our overall security. So what's new?
The security landscape changes constantly, and we hope these updates to the bug bounty program will keep both Paranoids and security researchers alike more adept to detect threats before they cause damage to our community.