Yahoo slammed over $12.50 security flaw rewards

Security researchers claim paltry bounty will not encourage others to share their findings.

Yahoo

Yahoo has been criticised for allegedly rewarding security researchers who uncover flaws in its products with discounts on branded good sold through its company store.

IT security services provider High-Tech Bridge claims to have been offered a $12.50 discount code for each security flaw it uncovered, which was only redeemable in the Yahoo Company Store.

The organisation said it was offered the reward by Yahoo after discovering several Cross-Site Scripting XSS vulnerabilities.

Each one would have reportedly allowed any @yahoo.com email address to be compromised by getting the owner of it to click on a specially created link when logged into the site.

The company's research team said it notified Yahoo of the flaws on Monday 23 September, but claims only two of them were acknowledged within 48 hours of the report being made.

"Yahoo warmly thanked us for reporting the vulnerabilities and offered us...12.50 USD reward per one vulnerability," the company said in a statement.

"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate T-shirts, cups, pens and accessories."

All of the vulnerabilities exposed by High-Tech Bridge, including another it reported that Yahoo claimed had already been discovered, have now been patched.

Ilia Kolochenko, High-Tech Bridge CEO, has called on Yahoo to rethink its rewards scheme, because it offers little incentive to report bugs.

"Paying several dollars per vulnerability is a bad job and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price" he said.

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise none of Yahoo's customers are safe."

IT Pro approached Yahoo for comment on this story, but was still awaiting a response at the time of publication.

This is the second time in less than a week that Yahoo's attitude to security has come under scrutiny.

The company's decision to reuse inactive email addresses has led to complaints by some users that they've received personal emails intended for the previous owner.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

3 Aug 2020