Yahoo slammed over $12.50 security flaw rewards

Security researchers claim paltry bounty will not encourage others to share their findings.


Yahoo has been criticised for allegedly rewarding security researchers who uncover flaws in its products with discounts on branded good sold through its company store.

IT security services provider High-Tech Bridge claims to have been offered a $12.50 discount code for each security flaw it uncovered, which was only redeemable in the Yahoo Company Store.

The organisation said it was offered the reward by Yahoo after discovering several Cross-Site Scripting XSS vulnerabilities.

Each one would have reportedly allowed any email address to be compromised by getting the owner of it to click on a specially created link when logged into the site.

Advertisement - Article continues below
Advertisement - Article continues below

The company's research team said it notified Yahoo of the flaws on Monday 23 September, but claims only two of them were acknowledged within 48 hours of the report being made.

"Yahoo warmly thanked us for reporting the vulnerabilities and offered us...12.50 USD reward per one vulnerability," the company said in a statement.

"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate T-shirts, cups, pens and accessories."

All of the vulnerabilities exposed by High-Tech Bridge, including another it reported that Yahoo claimed had already been discovered, have now been patched.

Ilia Kolochenko, High-Tech Bridge CEO, has called on Yahoo to rethink its rewards scheme, because it offers little incentive to report bugs.

"Paying several dollars per vulnerability is a bad job and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price" he said.

Advertisement - Article continues below

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise none of Yahoo's customers are safe."

IT Pro approached Yahoo for comment on this story, but was still awaiting a response at the time of publication.

This is the second time in less than a week that Yahoo's attitude to security has come under scrutiny.

The company's decision to reuse inactive email addresses has led to complaints by some users that they've received personal emails intended for the previous owner.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Server & storage

Broadberry CyberServe R182-Z90 review: Gigabyte’s EPYC gamble pays off handsomely

7 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020