Yahoo slammed over $12.50 security flaw rewards
Security researchers claim paltry bounty will not encourage others to share their findings.
Yahoo has been criticised for allegedly rewarding security researchers who uncover flaws in its products with discounts on branded good sold through its company store.
IT security services provider High-Tech Bridge claims to have been offered a $12.50 discount code for each security flaw it uncovered, which was only redeemable in the Yahoo Company Store.
The organisation said it was offered the reward by Yahoo after discovering several Cross-Site Scripting XSS vulnerabilities.
Each one would have reportedly allowed any @yahoo.com email address to be compromised by getting the owner of it to click on a specially created link when logged into the site.
The company's research team said it notified Yahoo of the flaws on Monday 23 September, but claims only two of them were acknowledged within 48 hours of the report being made.
"Yahoo warmly thanked us for reporting the vulnerabilities and offered us...12.50 USD reward per one vulnerability," the company said in a statement.
"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate T-shirts, cups, pens and accessories."
All of the vulnerabilities exposed by High-Tech Bridge, including another it reported that Yahoo claimed had already been discovered, have now been patched.
Ilia Kolochenko, High-Tech Bridge CEO, has called on Yahoo to rethink its rewards scheme, because it offers little incentive to report bugs.
"Paying several dollars per vulnerability is a bad job and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price" he said.
"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise none of Yahoo's customers are safe."
IT Pro approached Yahoo for comment on this story, but was still awaiting a response at the time of publication.
This is the second time in less than a week that Yahoo's attitude to security has come under scrutiny.
The company's decision to reuse inactive email addresses has led to complaints by some users that they've received personal emails intended for the previous owner.
Key considerations for implementing secure telework at scale
Identifying the security risks and advanced requirements of a remote workforceDownload now
The State of Salesforce 2020
Your guide to getting the most from SalesforceDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Rethink your cybersecurity strategy for the new world
5 steps to secure the enterprise and be fit for a flexible futureDownload now