Yahoo! offers $25 voucher to researcher who uncovered serious bug
Yahoo!: Not rewarding security tips as handsomely as its rivals. Photo: Getty Images
If you are a skilled security researcher and you uncover and report a Microsoft bug or vulnerability, you might get up to $US100,000. With Facebook, you might get $US12,500, and with Google, the reward could be $US20,000.
In Yahoo's case, you get a $25 voucher that can only be used to buy company swag, such as a T-shirt, a few light-up ice cubes or some "poopy bag dispensers" – though some of these don't even sport the new Yahoo! logo.
That's the paltry reward that Yahoo! offered to a Swiss security researcher who uncovered and responsibly reported three serious vulnerabilities on September 23.
"Initially I thought it was a joke," said Ilia Kolochenko, chief executive of security firm High Tech Bridge.
If exploited by malicious hackers, the bugs could potentially allow them to take over any Yahoo! email account by tricking a logged-in user into clicking a specially crafted link, according to a blog post published by High Tech Bridge, the security firm who found the bugs.
In recent years, so-called bug bounty programs have become very popular among Silicon Valley companies. In essence, these programs aim to reward responsible security researchers or hackers who find bugs in products or software and report them to the affected companies, which in turn reward them. Google, Facebook and Microsoft all have such programs. Yahoo! doesn't, although it encourages researchers to report vulnerabilities.
"If you are a member of the security community and need to report a technical vulnerability, contact: firstname.lastname@example.org," the Yahoo! security policies state.
With that in mind, Kolochenko set out to find out more about how exactly Yahoo! deals with these kinds of reports.
"The goal of the experiment was very simple: to find out how quickly security vulnerabilities on well-known websites such as Yahoo! can be found and to see how the company reacts to a vulnerability notification," the firm wrote in its blog post.
Kolochenko started working on this experiment on September 18, and, by accident, he quickly found one bug and reported it. But the Yahoo! security team responded that the vulnerability had already been flagged.
On September 22, while stuck in an airport lounge for six hours, he found three serious cross-site scripting (XSS) vulnerabilities affecting the domains ecom.yahoo.com and adserver.yahoo.com. These bugs could have been used to hack into Yahoo! email accounts, according to Kolochenko.
When he reported them, Yahoo! acknowledged two of the three bugs and thanked him, offering a $US25 (or $US12.50 per bug) discount voucher to be used on the Yahoo! Company Store.
While Kolochenko said he "was not doing the research for money", he found the amounts "quite surprising".
"I didn't complain," he said. "[I] just asked them if they have an 'Honour Roll' and if they really pay these amounts."
Facebook, by comparison, recently paid $US12,500 to a hacker who found a bug that allowed him to delete any user's pictures. Though the social network also recently failed to reward another hacker who broke into Mark Zuckerberg's Timeline.
Kolochenko decided to "hold off on further research", and needless to say, he was ultimately disappointed.
"Yahoo! should probably revise their relations with security researchers," Kolochenko was quoted as saying in the blog post. "Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."
Security expert and blogger Graham Cluley also criticised Yahoo! in a blog post.
"Of course, money (and t-shirts) shouldn't be the only motivation for reporting a security vulnerability," he wrote. "But such a risible reward is unlikely to win Yahoo! any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future."
Yahoo! did not respond to requests for comment, but High Tech Bridge said the bugs were all patched by Yahoo! when the security firm disclosed the incident in its blog post.
Mashable is the largest independent news source covering digital culture, social media and technology.