Today more and more companies are looking to external security researchers to help identify vulnerabilities and weaknesses in their applications through Bug Bounty Programmes.
These programmes are not without their problems; Facebook’s Bug Bounty programme is a case in point and questions about programs run by other companies regularly attract media attention.
The team at High-Tech Bridge wanted to test how well these Bug Bounty programmes work by seeing how quickly security vulnerabilities on well-known websites could be found and how the recipient of a vulnerability notification would react.
High-Tech Bridge selected Yahoo, which follows industry best-practices and encourages security researchers to report discovered vulnerabilities: "If you are a member of the security community and need to report a technical vulnerability, contact: security@yahoo-inc.com." Though not in the same league as Facebook and Google, Yahoo handles sensitive information for hundreds of millions of users, so appeared to be a perfect target for the experiment.
On Wednesday September 18, 2013 and using nothing more than a Firefox web browser, the first XSS vulnerability was found in just 45 minutes. It was a classic reflected XSS vulnerability affecting the marketingsolutions.yahoo.com domain, which was immediately reported to Yahoo.
Yahoo’s speed of response was laudable, a reply was received in less than 24 hours but, the response was disappointing: "Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future". Obviously the reply didn’t provide any evidence that the vulnerability had been reported already.
The team continued its research on the following Sunday evening (September 22). By Monday, September 23, the Yahoo Security Team was notified of three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the vulnerabilities could compromise any @yahoo.com email user’s account – all that would be required was that the user, while logged-in to Yahoo, click on a specially crafted link received in an email.
This time Yahoo took 48 hours to reply. Yahoo warmly thanked High-Tech Bridge for reporting the vulnerabilities and offered a bounty… $12.50 per vulnerability. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.
Ilia Kolochenko, High-Tech Bridge CEO, says: "Yahoo should probably revisit its relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers.
"This is why companies like Google efficiently play the ego card in parallel with much higher financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe."
Yahoo Paranoid’s director, Ramses Martinez, responded to the criticism in blog form. He said: "When I first took over the team that works with the security community on issues and vulnerabilities, we didn’t have a formal process to recognize and reward people who sent issues to us. We were very fast to remedy issues but didn’t have anything formal for thanking people that sent them in.
"I started sending a t-shirt as a personal "thanks." It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.
He continued: "We recently decided to improve the process of vulnerability reporting. My "send a t-shirt" idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning "t-shirt-gate" hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?
"So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early,"
he said.
The small print on the revised policy isn’t quite final. We will release the new policy by October 31, 2013. In the meantime, the benefits of the policy will be implemented retroactively back to July 1, 2013. If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program. This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt.