Feeds

Yahoo! Pays! Paltry! $12.50! Bug! Bounty! For! Nasty! Email! Vuln!

And even that had to be spent on Yahoo! tat

Internet Security Threat Report 2014

Yahoo! has paid a bug bounty to security researchers who found a bug that “allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo! user and making him/her clicking on it.” But the bounty was just $US12.50 and came in the form of a voucher that could only be spent in the Yahoo! company store on branded tat.

The quote above comes from a canned statement from Switzerland-based security outfit High-Tech Bridge, which says it set out to test the efficacy of bug bounties by seeing if it could find a flaw on Yahoo! The statement says 45 minutes into tests the XSS flaw detailed above showed its ugly head, leading the company to report the vulnerability to Yahoo!, which responded with an email saying the bug was known and so did not qualify for payment.

Undeterred, the team sent in another three flaws all of which had the same effect. Yahoo! eventually bit and offered the $US12.50 gift voucher as a bounty.

High-Tech Bridge's CEO Ilia Kolochenko has reacted badly to that offer, declaring it “a bad joke” and opining it “won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”

He goes on to say that at $12.50 a bug, Yahoo! has little chance of delivering decent security

“If Yahoo! cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo!’s customers can ever feel safe,” he writes. ®

Internet Security Threat Report 2014

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.