All the latest UK technology news, reviews and analysis


Yahoo slammed for paltry $12.50 reward vouchers for security flaw finds

01 Oct 2013
White hats get paid in purple caps for public service

Security researchers who uncovered multiple hazardous security glitches relating to Yahoo's various websites were paid a measly $12.50 for each of their efforts. In an added twist, the reward was only available as a Yahoo discount code instead of cash.

High-Tech Bridge, which carried out the research, found four XSS vulnerabilities in Yahoo's Ecom and Ad Server domains. The bugs left users open to attack if a third party created a URL that linked to a malicious piece of JavaScript.

High-Tech Bridge reported four flaws to Yahoo, as recommended on the firm's security pages. In response, Yahoo sent the hackers a gift certificate for $25 to be used in Yahoo's online store, which sells a range of Yahoo-branded products including hats, mugs and iPhone cases. The reward was for two flaws, while Yahoo said one other bug had already been found by another user and the fourth received no response.

High-Tech Bridge says all four problems it reported to Yahoo have since been fixed. However, in protest it has abandoned its efforts to find more flaws in Yahoo's services. Ilia Kolochenko, High-Tech Bridge CEO, said the firm should revise its policies, which currently appear to be a "bad joke" and will not motivate the security community.

"Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

He said the company could at least consider other methods to reward security researchers:

"Money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed," he said.

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.“

"Yahoo does not publicly say it offers bounty reward for the security community, but nonetheless the money paid does not compare well to Facebook's bounty reward programme, which pays a minimum of $500 for successful reports."

In June, Facebook shelled out $20,000 to a hacker who spotted a serious flaw, which could have left accounts open to hijacking. 

Brian Martin, president of the Open Security Foundation, said the incident proved that vendors and websites should take community security reports more seriously. "Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organisation, and more importantly their customers," he stated.

"Even Microsoft, which was the most notorious hold-out on bug bounty programs realised the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass its security mechanisms. Other companies should follow its example and realise that a simple 'hall of fame' credit to buy the vendor's products, or a pittance in cash is not conducive to researcher co-operation."

V3 contacted Yahoo for comment but had not received a response at the time of publishing.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Michael Passingham
About

Michael Passingham joined V3 as a reporter in June 2013. Prior to working at V3, Michael spent time at computing magazine PC Pro. Michael covers IT skills, social media, tech startups and also produces V3's video content.

View Michael's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Related jobs
Poll

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?
9%
9%
3%
65%
14%

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Full Stack Web Developer (C#, ASP.NET, MVC, SQL, JS) London

Full Stack Web Developer (C#, ASP.NET, MVC, SQL, JS...

System Administrator (Windows Server, SQL Server, Hyper-V)

System Administrator (Windows, Windows Server, SQL Server...

System Support Officer

South Somerset District Council The Council Offices...

Systems Analyst

Systems Analyst £Competitive + great benefits...
To send to more than one email address, simply separate each address with a comma.