Yahoo bug bounty programme pays out more than US$1 m to researchers

Yahoo has paid more than US$ 1 million (£641k) to security researchers under its bug bounty programme, the company announced in a Tuesday blog post recapping the nearly two year operation.

Calling 2015 a “pivotal year,” the company's interim CEO, Ramses Martinez, wrote that “community engagement is at an all time high” and the team “is able to triage and fix bugs faster than ever.”

Submissions exceeded 10,000 and approximately 1,500 of those resulted in a reward. Nearly half of submissions are from the top six percent of contributors, the post states, and 87 percent of researchers submit fewer than 10 bugs, or about 34 percent of submissions.

Martinez also pointed out the programme's reputation system, which, he wrote, “has made our top vulnerability reporters more meaningful by illustrating not only the number of reports they submit, but the severity value we assigned to each.”