By Chris Rohlf, Senior Manager, Penetration Testing

At Yahoo, our users come first – above all when it comes to security. Our dedicated information security team, the Yahoo Paranoids, constantly assess the integrity of our systems by combatting known threats and remaining vigilant for unknown security vulnerabilities.

Through this Tumblr, I want to lay out our strategy when it comes to that second category: unknown security vulnerabilities. Skilled attackers are discovering and exploiting zero-day vulnerabilities all the time, and no system or platform is impenetrable. We firmly believe in the importance of engaging the broader security ecosystem to help ensure as few people as possible are impacted by an attack of this sort.

As part of our efforts to keep our systems secure, the penetration testing team that I run is constantly performing attacks against ourselves and is looking for new ways that our adversaries might attempt to breach our systems. This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network.  When we discover previously unknown security vulnerabilities (also known as “zero day” vulnerabilities), we immediately address the risks on our own systems to protect our users. While this process is underway we may notify our peers in the Internet community who may also be affected by the issue. Finally, we coordinate with the U.S. Computer Emergency Readiness Team (US-CERT) to ensure that a Common Vulnerabilities and Exposures (CVE) number is assigned to the issue so that others can properly track and manage the vulnerability.

Time is of the essence when we discover these types of issues: the more quickly we address the risks, the less harm an attack can cause. Today, we are committing to publicly disclosing on our security Tumblr the vulnerabilities we discover within 90 days. By committing to this short time frame, we will help ensure that these vulnerabilities are patched as quickly as possible. We reserve the right to extend or shorten this timeline based on extenuating circumstances, including active exploitation, or known threats. We also commit to sharing the appropriate technical details so other parties can assess their risk and take appropriate action.

As we’ve said before, our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard and engage the broader security community to combat attacks that violate our users’ security and privacy.

To learn more about our vulnerability disclosure policy, check out our FAQ below.

Interested in joining our team of Yahoo Paranoids? We are hiring! Check out available positions on our career site.

FAQ:

Q: Why does Yahoo disclose security vulnerabilities?

A: Disclosing security vulnerabilities allows everyone to patch their systems. We have to assume that 3rd parties are already aware of these issues or may become aware soon. There is solid evidence that attackers commonly discover and exploit 0-day vulnerabilities all the time.

Q: Why 90 days? Why not 15 or 120?

A: We feel 90 days is a long enough timeline that developers can write, test and deploy a fix to an issue. Within this time we will do our best to coordinate disclosure of the vulnerability and ensure that a proper fix has been developed. Furthermore, we hold ourselves to the same standard (http://hackerone.com/yahoo) and expect our own developers to fix security issues within 90 days. We anticipate many security issues will be fixed and patches deployed well before the 90 day timeline has expired.

Q: What happens after 90 days?

A: This depends on the current state of a fix for the vulnerability. If we are in good contact with the party responsible for developing and deploying a fix but they need more time then we reserve the right to extend this deadline as necessary. If we feel no progress is being made on the fix then we reserve the right to publish the vulnerability details so that the internet community is aware of the issue and individual organizations can defend against or patch it themselves. When this occurs we will do our best to provide mitigation guidance where appropriate. We will make every effort possible to contact all relevant parties and help to coordinate the disclosure when needed.

Q: Is Yahoo actively looking for vulnerabilities in open and closed source software?

A: Yes. Part of our job is to always be on the lookout for security vulnerabilities that affect the technologies that Yahoo uses and this includes software we didn’t develop at Yahoo. These efforts are part of our larger commitment to user security, safety and privacy.

Q: Is Yahoo hoarding 0-day vulnerabilities?

A: Never! We disclose all vulnerabilities that we discover according to our policy guidelines.