According to security firm High-Tech Bridge, they found serious cross-site scripting (XSS) flaws in Yahoo’s platform, and submitted them to the search company so that Yahoo could patch the holes. But High-Tech Bridge wasn’t expecting what Yahoo was going to offer them in return.
Bounties for security flaws at Facebook and Google often reach thousands of dollars per flaw, but Yahoo offered them…$12.50 per bug, for a total of $25. To put that in perspective, the researchers at High-Tech Bridge could have earned only a dollar less than that if they worked for three hours at the Burger King near Yahoo’s Sunnyvale offices.
To add insult to injury, they can’t even order a burger with their bounty, which can only be spent at the Yahoo Company Store, on products like this yodeling bottle opener.
As the team at High-Tech Bridge noted, monetary gain isn’t the only reason why white hat hackers do what they do, and that companies like Google also offer a Hall of Fame for researcher who submit bugs. That could be a way for Yahoo to encourage bug submissions without paying out a massive bounty, but at least right now, Yahoo doesn’t do that, either.
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe,” High-Tech Bridge CEO Ilia Kolochenko said in a press release.
It would seem that Yahoo would want as many researchers as possible working on its platform, especially as multiple people are reporting that they are getting sensitive messages directed to past owners of email accounts that Yahoo recently freed up.
High-Tech Bridge, for its part, is saying that it plans to suspend all efforts to test Yahoo’s platform. I don’t know why they’d do that, though. They’re only three more bugs away from being able to pick up this Yahoo neon billboard sign.
Blair Hanley Frank is a technology journalist based in the San Francisco Bay Area. He has also worked for Macworld, PCWorld and TechHive. He can be found on Twitter @belril.