All the latest UK technology news, reviews and analysis

Yahoo slammed for paltry $12.50 reward vouchers for security flaw finds

01 Oct 2013
White hats get paid in purple caps for public service

Security researchers who uncovered multiple hazardous security glitches relating to Yahoo's various websites were paid a measly $12.50 for each of their efforts. In an added twist, the reward was only available as a Yahoo discount code instead of cash.

High-Tech Bridge, which carried out the research, found four XSS vulnerabilities in Yahoo's Ecom and Ad Server domains. The bugs left users open to attack if a third party created a URL that linked to a malicious piece of JavaScript.

High-Tech Bridge reported four flaws to Yahoo, as recommended on the firm's security pages. In response, Yahoo sent the hackers a gift certificate for $25 to be used in Yahoo's online store, which sells a range of Yahoo-branded products including hats, mugs and iPhone cases. The reward was for two flaws, while Yahoo said one other bug had already been found by another user and the fourth received no response.

High-Tech Bridge says all four problems it reported to Yahoo have since been fixed. However, in protest it has abandoned its efforts to find more flaws in Yahoo's services. Ilia Kolochenko, High-Tech Bridge CEO, said the firm should revise its policies, which currently appear to be a "bad joke" and will not motivate the security community.

"Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

He said the company could at least consider other methods to reward security researchers:

"Money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed," he said.

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.“

"Yahoo does not publicly say it offers bounty reward for the security community, but nonetheless the money paid does not compare well to Facebook's bounty reward programme, which pays a minimum of $500 for successful reports."

In June, Facebook shelled out $20,000 to a hacker who spotted a serious flaw, which could have left accounts open to hijacking. 

Brian Martin, president of the Open Security Foundation, said the incident proved that vendors and websites should take community security reports more seriously. "Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organisation, and more importantly their customers," he stated.

"Even Microsoft, which was the most notorious hold-out on bug bounty programs realised the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass its security mechanisms. Other companies should follow its example and realise that a simple 'hall of fame' credit to buy the vendor's products, or a pittance in cash is not conducive to researcher co-operation."

V3 contacted Yahoo for comment but had not received a response at the time of publishing.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Michael Passingham

Michael Passingham joined V3 as a reporter in June 2013. Prior to working at V3, Michael spent time at computing magazine PC Pro. Michael covers IT skills, social media, tech startups and also produces V3's video content.

View Michael's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

C++ Developer - Market Making exchange connectivity

C++ Developer - Market Making exchange connectivity...

C++ Developers - High throughput systems

C++ Developers - High throughput systems My client...

C++ Developer - High Frequency Trading

C++ Developer - High Frequency Trading A proven and...

Application Support - Wakefield - SQL / T-SQL / TCP/IP

Application Support - Wakefield - £22k + Company Car...
To send to more than one email address, simply separate each address with a comma.