Program launched with live hacking event in San Francisco

After paying out more than $3 million in rewards over the past three years, Oath, the US media and tech conglomerate, is combining its four existing bug bounty programs into one.

In a recent blog post, Oath CISO Chris Nims said the company’s current bug bounty initiatives for AOL, Yahoo, Tumblr, and Verizon Digital Media Service (VDMS) will be unified under a single program.

“Operated on our partner platform HackerOne, security researchers will be able to work on the AOL, VDMS, and Tumblr properties on an invite-only basis, while the Yahoo properties will be open to the public.”

Oath marked the start of its unified program on April 14 by gathering 40 hackers from around the world for H1-415 – a live hacking event in San Francisco.

“The event proved to be highly effective, with more than $400,000 in bug bounties paid out from nine hours of hacking,” said Nims.

News of the one-stop program follows Yahoo’s announcement in October that every single one of its customer accounts was likely to have been compromised in the August 2013 data breach – bringing the total to three billion.

Fellow Oath property Tumblr hit the headlines back in 2016, after the microblogging site revealed a third party had obtained access to a set of user email addresses with salted and hashed passwords.

Subsequent reports indicated that 65 million Tumblr accounts had been impacted.

“It’s our hope that with this unified bug bounty program, we will continue to increase the effectiveness of outside reporting and ultimately the security of Oath and its users,” said Nims.