Its security team Yahoo said any vulnerability discovered in penetration testing would be revealed to the public after a period of 90 days.
One of the group's responsibilities is to assess the security level of software written by Yahoo by testing both code and third-party software that is integrated into the service provided by Yahoo. company.
The group calls itself the Yahoo Paranoids, and, led by Chris Rohlf, attacks infrastructure to find new vulnerabilities that can be exploited.
"This process helps us identify vulnerabilities, not just in software written by Yahoo, but in open-source and commercial products that we use in our network," Rohlf wrote in a statement on Tuesday. message to Tumblr.
The task of the new team is when they reveal unknown vulnerabilities in the code (also known as zero-day vulnerabilities) to be corrected immediately by experts, who at the same time will inform the other bodies that may be affected by the problem and the US-CERT (Computer Emergency Readiness Team).
While 90 days may seem like a short amount of time for the code developer to fix a problem, a longer time frame will increase the risk to users, giving cybercriminals the opportunity to find the flaw for themselves and exploit it.
Nevertheless, Mr. Rohlf reports that: “We're keeping it right to extend or shorten said schedule based on circumstances such as for already exploitable vulnerabilities, or the existence of known threats”.
Cybercriminals are usually successful because they are constantly looking for zero-days, that is, for vulnerabilities that are not known and that by the time they are discovered they will have compromised the victim or victims. Yahoo considers itself to be taking a strong new stance against the practice it covers except from its own code and the codes of the third parties it cooperates with.
Public disclosure of the vulnerability after 90 days depends on many factors, including the difficulty of addressing the flaw, which can sometimes take longer to release a patch. However, if very little or no progress has been made from it date upon discovery of the vulnerability, Yahoo reserves the right to disclose it in order to force companies to take immediate defensive measures or prepare a patch.