Yahoo is not having very good run in the reputation department when it comes to user security. As we’ve reported on several times, the company launched an initiative to recycle some of its old email addresses, handing inactive accounts over to active users, and apparently compromising data from emails being sent to the original account holders.
Yahoo has responded, but that response has been met with its own share of criticism.
Now Yahoo is making headlines for its bug bounty program, which encourages security researchers to notify Yahoo of any bugs they come across. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo’s reward.
First, they found one XSS vulnerability (after only 45 minutes of investigating), and notified Yahoo only to be told that they didn’t qualify for a reward because somebody else had already revealed the bug. The company reportedly did not offer any evidence of this.
Then, they found more. High-Tech Bridge constructed a press release about its dealings with Yahoo. Here’s a snippet:
Being curious about how Yahoo would react to other vulnerabilities we continued our research during the evening of Sunday, the 22nd of September. By Monday the 23rd of September the Yahoo Security Team was notified of 3 more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it.
This time Yahoo took 48 hours to reply only about two XSS affecting adserver.yahoo.com. Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability. Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories:
Yep, you read that right.
With a $12.50 credit to the Yahoo store, you can get twelve ink pens, four mousepads, one keychain, or four pairs of socks (at least while they’re on sale), to name a few options.
I’m guessing they’re on sale due to the outdated logo.
It’s not quite enough to get this sweet Tumbler set (seems like a missed “Tumblr” reference opportunity):
Oh well. It’s out of sock anyway.
High-Tech Bridge CEO Ilia Kolochenko had this to say:
“Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.“
Security vet Graham Cluley, who has been very vocal about Yahoo’s recycled email address plan writes, “Yahoo, it seems, just can’t do anything right when it comes to winning friends in the security industry.”
He also mentions that CEO Marissa Mayer doesn’t use a passcode on her iPhone.
The vulnerabilities exposed by High-Tech Bridge have reportedly been fixed by Yahoo. It’s unclear how they spent their Yahoo Store credit.