Meet The Paranoids Powering Yahoo’s Bug Bounty Program
Note: Verizon Media is now known as Yahoo.
If Bug Bounty was baseball, the Paranoids team might describe Arjun Govindaraju and Jonathon Robin as our coach and team captain.
They’re the ones who ultimately receive researcher reports and guide urgent responses.
To be clear, Arjun is responsible for the overall Bug Bounty Program’s budgets, researcher engagements, policy maintenance, and promotional programs to attract and retain researchers.
Jonathon (who goes by JR) is responsible for handling incoming reports, promotions, awards, and researcher relations, among many other things, to keep processes flowing.
This week, they’re both in Antwerp running the Paranoids’ Live Hacking event.
We’ll let them get more specific about that event, their work, and how best to interact with our industry-leading program in their own words:
Q: How long have you both been running the Paranoids’ bug bounty program?
Arjun: I have been associated with Yahoo’s Bug Bounty program for a long time in a limited capacity, but I took over the Program Lead role only eight months ago.
Jonathon: I’ve been leading operations for about the same time and was an analyst on the bug bounty team for a year and a half before that.
Q: Why have the Paranoids focused our most recent hacking events on open-source projects — specifically Vespa and the Arkime?
A: After the Log4J mess from the end of 2021, it was clear that open source projects dont get their share of love from the corporate world who consume open source code but don’t give back.
And Yahoo wants to support open source projects - especially the ones use as a way to give back to the community.
JR: To add on to that, open source is such a big part of the world of software for individuals and businesses. It’s amazing to think that there are pieces of code developed and maintained by very small teams that we depend on and expect to be secure. Investing in the security of open source projects benefits everyone.
Q: Why is it so important to engage with new researchers in different geographies?
A: There’s only a small number of high-quality researchers in the Bug Bounty business today (in comparison to software developers), and every company that runs a vulnerability disclosure program has to compete to get these researchers' attention. So looking into newer markets or markets where we haven’t seen much activity is a great way to engage and attract new talent to the program.
JR: Different cultures provide new perspectives and out-of-the-box thinking that is important in the discovery of vulnerabilities or new novel methods of breaking into an application.
We’ve been amazed, especially by researchers out of South America and other parts of the world. And we look forward to finding new communities to check out the wide variety of applications that make up the various parts of Yahoo.
Q: Switching gears a bit, what’s the biggest challenge you have encountered in running the program?
JR: For me, it’s encountering people who are upset —most of the time with a decision or a payout — and turning an otherwise negative interaction into a positive outcome.
As unpleasant as those interactions are, it’s also an opportunity to learn from each other in a meaningful way that both improves interest in hacking Yahoo and bug bounty in general. In the end, it’s necessary to create better reports and awards now and in the future.
(Read: Dear Security Researchers, PLEASE BE NICE!)
Q: What do you look for when triaging a report?
A: The most important thing for me in a report is if there are sufficient details to understand the bug and instructions to replicate it. This goes a long way in processing the reports faster and awarding the researcher quickly.
I like to see information such as:
- IP addresses used to test the vulnerable app
- And any special conditions required for the issue to be reproducible
All of that information helps the team and, in turn, the developers to zero in on the root cause and fix it quickly.
Q: What reports stand out?
A: A report that contains a good write-up about the issue, a proof of concept, or POC, video, or screenshots clearly describing the issue, including any source code used in developing the POC.
JR: I like to see the researchers share information about their methodology and background, as well as a deeper analysis of components or how the bug works in the context of the application.
Sharing your nuclei templates would be great (edit: This is JR’s attempt at a joke!).
Q: What’s one thing you wish every security researcher contributing to the Paranoids’ bug bounty program knew?
A: How much work goes into processing a bug — triaging, assigning, bounty suggestions, approvals, payments, reporting, audits, and on and on.
We have a well-oiled machine with lots of processes and guardrails in place — courtesy of leaders before us — but even that takes lots of effort to keep running a smooth program for the security researchers.
JR: Our public policy, especially the rules of engagement, responsible disclosure of vulnerabilities, and crafting a report sections.
Understanding those sections can save a lot of time for both the researcher and the bug bounty team to avoid situations where we are put in a position of having to issue strikes — essentially warnings for potential violations of our rules.
Custom HTTP headers can go a long way in helping us identify traffic from bug bounty rather than a potential malicious actor. Another unfortunate situation may be where we cannot award due to issues with reproducibility for a potential bug finding.
Are you looking to get in touch because of something you found on
Yahoo properties? Reach out to us using the contact information you find here: https://www.yahoo.com/.well-known/security.txt