Yahoo pays out $12.50 bug bounty

By on
Yahoo pays out $12.50 bug bounty

As store credit for Yahoo gear, researchers say.

Web giant Yahoo is copping flak from security researchers over allegations it pays just US$12.50 (A$13.40) for bug reports that can only be spent on Yahoo-branded merchandise.

Swiss penetration testing firm High-Tech Bridge said it ran a "small experiment" with Yahoo to see how quickly the company reacted to vulnerability notifications.

The researchers said they found a cross-site scripting (XSS) flaw in a Yahoo web property within 45 minutes. Yahoo's security team responded within 24 hours, but reportedly did not offer a cash reward, claiming someone else had reported the flaw first.

Unperturbed, High-Tech researchers continued and found three more XSS vulnerabilities.

"Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it," the researchers said.

"Yahoo warmly thanked us for reporting the vulnerabilities and offered us... 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability.

"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate t-shirts, cups, pens and other accessories.

"At this point we decided to hold off on further research."

iTnews has contacted a Yahoo spokesperson for comment.

High-Tech CEO Ilia Kolochenko said the bug bounty figures were "a bad joke", considering the vulnerabilities could fetch more on the black market than from Yahoo.

However, Kolochencko said that "money is not the only motivation of security researchers". Appealing to the ego of researchers in lieu of big rewards also worked, he said.

Long-time anti-virus expert Graham Cluley agreed. "Of course, money (and t-shirts) shouldn't be the only motivation for reporting a security vulnerability. But such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future."

The company noted that Yahoo had since patched all four XSS vulnerabilities.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bountybridgebugcluleygrahamhightechpenreportresearchsecuritytestersvulnerabilitiesyahoo

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia

Log In

  |  Forgot your password?