Last week, Chris Nims, chief information security officer of Internet company Oath, officially announced the launch of a unified bug bonus program: AOL, Yahoo, Tumblr and Verizon Digital Media Services (VDMS). Bug bonuses that belong to four different systems will be consolidated into the platform HackerOne.
According to Nims, compared with other bug reward programs, Oath provides some relatively more competitive rewards, and the influence of loopholes is an important factor in determining the extent of rewards. During the evaluation process, the company reviews the data and sensitivity of the defects that may be exposed. The role of the data, the location of the network, and the permissions of the relevant servers are all closely related to the impact of the vulnerability.
The program already has more than 3,000 researchers worldwide. In the past four years, Oath has paid more than 3 million U.S. dollars to the researcher. “Our new program will combine our existing bug bounty operations into one united program, establishing a foundation to expand our program in the future. Surfacing vulnerabilities and resolving them before our adversaries can exploit them is essential in helping us build brands people love and trust. Whether they had been participating in our programs for years or were looking at Oath assets for the first time, it was empowering to witness the dedication, persistence, and creativity of the hacker community live and in-person.” Nims said.
Prior to this, Oath’s plan has begun to take shape. In a nine-hour hacking event with 41 researchers from 11 countries held in San Francisco in mid-April this year, Oath spent more than US$ 400,000 in single-day bonuses. Sincerity can be seen.
“It’s our hope that with this unified bug bounty program, we will continue to increase the effectiveness of outside reporting and ultimately the security of Oath and its users.” This is a summary of Nims’s plan.
