Researchers find critical vulnerabilities in Yahoo’s site, offered $12.50 per bug

yahoo_logoYahoo may be in the midst of a reinvention, but according to one security company, their compensation for turning in security flaws is…lacking.

According to security firm High-Tech Bridge, they found serious cross-site scripting (XSS) flaws in Yahoo’s platform, and submitted them to the search company so that Yahoo could patch the holes. But High-Tech Bridge wasn’t expecting what Yahoo was going to offer them in return.

Bounties for security flaws at Facebook and Google often reach thousands of dollars per flaw, but Yahoo offered them…$12.50 per bug, for a total of $25. To put that in perspective, the researchers at High-Tech Bridge could have earned only a dollar less than that if they worked for three hours at the Burger King near Yahoo’s Sunnyvale offices.

To add insult to injury, they can’t even order a burger with their bounty, which can only be spent at the Yahoo Company Store, on products like this yodeling bottle opener.

As the team at High-Tech Bridge noted, monetary gain isn’t the only reason why white hat hackers do what they do, and that companies like Google also offer a Hall of Fame for researcher who submit bugs. That could be a way for Yahoo to encourage bug submissions without paying out a massive bounty, but at least right now, Yahoo doesn’t do that, either.

“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe,” High-Tech Bridge CEO Ilia Kolochenko said in a press release.

It would seem that Yahoo would want as many researchers as possible working on its platform, especially as multiple people are reporting that they are getting sensitive messages directed to past owners of email accounts that Yahoo recently freed up.

High-Tech Bridge, for its part, is saying that it plans to suspend all efforts to test Yahoo’s platform. I don’t know why they’d do that, though. They’re only three more bugs away from being able to pick up this Yahoo neon billboard sign.

  • http://www.christopherbudd.com Christopher Budd

    So-called “bug bounties” are always a delicate thing. While I was at Microsoft we never did them, though they now offer some bounties.

    But what Microsoft does is kind of the opposite of this. They only offer bounties for specific classes of vulnerabilities and they offer high monetary rewards. For all the others, the reward remains the acknowledgement in a security bulletin or the online security research acknowledgement page.

    I don’t know the specifics of Yahoo’s program but to say that the reward they’re offering is low compared to other bounties is an understatement. Having dealt with these issues a lot, I have to say I think Yahoo would be better off not offering a bounty than offering a bounty this low and out of sync with the rest of the industry. It basically gives you the worst of both worlds, as evidenced by this story.

  • Wojtek

    I certainly hope for Yahoo that they so not have any more bugs as they will now end with a defacement or something ’cause nobody will even bother letting them know they have a problem. As C. Budd mentioned, they would be better off without any bounty program.

  • Anthony Fernandez

    I found an a xss vulnerability in yahoo.com support website earlier this year and received no money or t-shirt.just an email back saying it was legit. Got photos to and emails to prove it. I will never report a yahoo vulnerability again if they don’t do some Change…