Its security team Yahoo stated that any vulnerability discovered in penetration tests will be disclosed to the public after a period of 90 days.
One of the team's responsibilities is to evaluate the security level of the software written by Yahoo by testing the code from third parties and integrated into the service provided by the company.
The group calls itself the Yahoo Paranoids, and, led by Chris Rohlf, attacks infrastructure to find new vulnerabilities that can be exploited.
"This process helps us identify vulnerabilities, not just in software written by Yahoo, but in open-source and commercial products that we use in our network," Rohlf wrote in a statement on Tuesday. message to Tumblr.
The new team's job is when they uncover unknown code vulnerabilities (aka vulnerabilities zero-day ) αυτές να διορθώνονται άμεσα από τους εμπειρογνώμονες, οι οποίοι όμως ταυτόχρονα θα ενημερώνουν και τους άλλους φορείς που μπορούν να επηρεάζονται από το πρόβλημα καθώς και το US-CERT (Computer Emergency Readiness Team).
While 90 days may seem like a short amount of time for the code developer to fix a problem, a longer time frame will increase the risk to users, giving cybercriminals the opportunity to find the flaw for themselves and exploit it.
However, Mr Rohlf said: "We reserve the right to extend or shorten this timetable based on circumstances such as already exploitable vulnerabilities or the existence of known threats."
Cybercriminals are usually successful because they are constantly looking for zero-days, that is, for vulnerabilities that are not known and that by the time they are discovered they will have compromised the victim or victims. Yahoo considers itself to be taking a strong new stance against the practice it covers except from its own code and the codes of the third parties it cooperates with.
Publishing vulnerability after 90 days depends on many factors, including the difficulty in dealing with the defect, which may sometimes take longer to release a patch. However, if there has been little or no progress since the discovery of the vulnerability, Yahoo reserves the right to notify it in order to force companies to take immediate defensive action or to prepare a patch.
