The news that Yahoo was rewarding diligent white hat hackers who identified security flaws for the tech giant a $12.50 discount in its online store should scare anyone who uses the search engine firm’s services, especially email.
Security group High-Tech Bridge identified four bugs with Yahoo services – a reflected XSS vulnerability affecting the marketingsolutions.yahoo.com domain and three more affecting the ecom.yahoo.com and adserver.yahoo.com domains.
Yahoo told the company the first had already been reported, but thanked it kindly for notifying Yahoo of the other three, which had the potential to compromise any @yahoo.com email account.
Fixing these bugs was only worth a t-shirt and a measly $12.50 per report, apparently.
Now, let’s compare that to other companies’ rewards. Google – which has the security of gmail and Chrome to protect – recently upped its reward of $1,000 per report to $5,000.
That’s without additional bonuses for when hackers really save the search engine giant’s bacon.
Facebook pays a minimum reward of $500 for each bug reported to its team (though did not pay Khalil Shreateh, who posted on Mark Zuckerberg’s wall to demonstrate a bug after he was ignored by the security team).
Content from our partners
Director of Yahoo Paranoid (which deals with attacks on the business), Ramses Martinez, effectively told CBR that people who complained about his policy were being ungrateful.
He said that when he joined, there was no formal procedure for rewarding such hackers – instead "I started sending a t-shirt as a personal ‘thanks’. It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money."
Poor old Martinez. Though he clearly wants to be a good guy and demonstrate Yahoo’s thanks for the report, he’s just not thinking with his head. How many of those who reported bugs for such a crummy reward went and took the time to find another one, I wonder?
As High-Tech Bridge’s Ilia Kolochenko said: "Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."
Yahoo is now offering rewards of $150 – $15,000 for bug reports, a policy it claims it is bringing forward from October 31 in response to the criticism it’s got.
But it should have been in place all the time – if you don’t feel confident about your email’s security, you won’t keep it running long.
