In this month the researchers from High-Tech Bridge found a number of XSS vulnerabilities In Yahoo websites. The security team notified to Yahoo of four XSS issues, which affected the marketingsolutions.yahoo.com domain, ecom.yahoo.com and adserver.yahoo.com domains.
Initially started sending out Yahoo T-shirts to vulnerability researchers with his own money. There were instances wherein researchers started reverting saying that they already had a T-shirt with them following which Martinez started “buying a gift certificate so they could get another gift of their choice.” The director of Yahoo Paranoids claimed that the team was already giving finishing touches to company’s vulnerability reporting program when the “t-shirt-gate” hit.
The security flaws were pounced upon and fixes issued, the security team "didn't have anything formal for thanking people" -- and so the director began sending out the t-shirts as a thank-you.
Martinez said,I started sending a t-shirt as a personal thanks. It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate.
Ramses Martinez said, we recently decided to improve the process of vulnerability reporting...This month the security team was putting the finishing touches on the revised program and Yahoo is developing a new site to make the reporting process easier and clearer.
Yahoo's security team currently reviews all submissions from the community within hours, every day of the year, but the new policy will hopefully improve the firm's "overall speed and quality." The same goes for issue remediation.
The submitted issues are validated by Yahoo's team. Upon validation, researchers are contacted in no more than fourteen days after submission, and formal recognition of help will now be given either in an email or written letter. For the best discoveries, Yahoo plans to create a "Hall of Fame" on its web site.
Yahoo has also revealed that the system will go into effect by the end of October, but it will be offering backdated rewards starting July 1. Martinez added that those who got a t-shirt for reporting vulnerability after July 1 will be contacted again.
Initially started sending out Yahoo T-shirts to vulnerability researchers with his own money. There were instances wherein researchers started reverting saying that they already had a T-shirt with them following which Martinez started “buying a gift certificate so they could get another gift of their choice.” The director of Yahoo Paranoids claimed that the team was already giving finishing touches to company’s vulnerability reporting program when the “t-shirt-gate” hit.
The security flaws were pounced upon and fixes issued, the security team "didn't have anything formal for thanking people" -- and so the director began sending out the t-shirts as a thank-you.
Martinez said,I started sending a t-shirt as a personal thanks. It wasn't a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn't about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate.
Ramses Martinez said, we recently decided to improve the process of vulnerability reporting...This month the security team was putting the finishing touches on the revised program and Yahoo is developing a new site to make the reporting process easier and clearer.
Yahoo's security team currently reviews all submissions from the community within hours, every day of the year, but the new policy will hopefully improve the firm's "overall speed and quality." The same goes for issue remediation.
The submitted issues are validated by Yahoo's team. Upon validation, researchers are contacted in no more than fourteen days after submission, and formal recognition of help will now be given either in an email or written letter. For the best discoveries, Yahoo plans to create a "Hall of Fame" on its web site.
Yahoo has also revealed that the system will go into effect by the end of October, but it will be offering backdated rewards starting July 1. Martinez added that those who got a t-shirt for reporting vulnerability after July 1 will be contacted again.
No comments:
Post a Comment