Security

‘I reported a major Yahoo security vulnerability and all I got was this lousy T-shirt’

yahoo-shirt
Image Credit: Flickr: codepo8

While companies like Facebook are dishing out hundreds of dollars to researchers to spot security vulnerabilities, Yahoo, it seems is a bit less generous.

Researchers at High-Tech Bridge, an online security firm, have found that, while Yahoo encourages people to report vulnerabilities, the company doesn’t reward them all that well when they do so.

Last week, after spotting and reporting four separate cross-site scripting vulnerabilities (two of which were apparently reported previously), High-Tech Bridge’s researchers were given tiny $12.50 bounties for each vulnerability they found.

Even worse, that money took the form a discount code, and could only be used in Yahoo’s company store, which sells things like company T-shirts, pens, and mugs.

High-Tech Bridge CEO Ilia Kolochenko didn’t mince words about what his all means.

“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe,” he said.

In other words, reward researchers well, or they won’t bother telling you the next time they spot a security problem. (Or worse, they might even report the issue to the bad guys first.)

We’ve contacted Yahoo to determine why the payout was so low, and whether this was a special case.

25_dollars_for_2_XSS_at_Yahoo

Above: $12.50 is the price Yahoo pays for big security holes.

Some more background: The goal behind the researchers’ effort was to determine just how fast Yahoo responds reports of major security issues. This has been a big deal lately, particularly after the snafu involving Facebook and researcher Khalil Shreateh, whom Facebook refused to pay after he used the vulnerability to post on Mark Zuckerberg’s wall.