Grim warning for bounty hunters – Yahoo pays out paltry $12.50 per vulnerability

Finding vulnerabilities can be a profitable business – even if you work for the right side of the law. Last month, Facebook paid out $12,500 to a researcher for finding a bug – this month, Yahoo! paid out $12.50.

Yahoo!’s more modest “Bug Bounty” was not even paid in money – it came in the form of vouchers for Yahoo!’s corporate store, where fans can buy purple hats, T-shirts, and a desk toy that yodels “Yahoo!” The payout has been widely mocked, according to The Inquirer.

Many companies – including internet giants such as Google and Mozilla – rely on “bug bounty” programmes as a cost-effective way of finding flaws. Most researchers don’t earn the equivalent of a salary – but the thought of a “big” bounty keeps people interested, according to a recent UC Berkeley study.

But Yahoo’s bounties don’t offer much of an incentive, says Ilia Kolochenko, CEO of Swiss firm  High-Tech Bridge. Kolochenko claims that he and his team decided to “test” Yahoo’s programme by sending in vulnerabilities – but that their first was rejected as “not new”, having already been reported by another researcher.

“By Monday the 23rd of September the Yahoo Security Team was notified of 3 more XSS vulnerabilities affecting the and domains. Each of the discovered vulnerabilities allowed any email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it,” Kolochenko says.

“This time Yahoo took 48 hours to reply only about two XSS affecting Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability. Moreover, this sum was given as a discount code.”

Kolochenko, says: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.“

Yahoo has recently come under fire for bad security practice in recycling old email addresses – with “new” users complaining of receiving personal emails intended for the old owners – including wedding invitations.

Last month, a bug which allowed any Facebook user to delete photos from any other user’s page without their knowledge has earned its discoverer $12,500 under Facebook’s “bug bounty” program – more than 10 times the average payout.

Arul Kumar, 21, demonstrated the bug in a video where he almost – but not quite – deleted a video from Mark Zuckberberg’s photo page.

Author , We Live Security

  • Jammer

    I found a few in my time using yahoos network, T=Epochtime(1969), by setting the epoch time back to 1969, i could then login to any account without the use of a password (Blank Y + T cookies) using the https login string. If you changed the password, i could simply go back in and change it to how it suited me. Yahoos neglected network is full of holes, i even created an exploit which uploaded a trojan to the users desktop with out their knowledge and then would send a d/c packet (BD) and close their session. Trick was to create a icon that looked like the yahoo messenger icon but unbeknown it was a trojan. I reported this and waited 3 months before releasing it to the public. Yahoo==yahp00

Follow us

Copyright © 2018 ESET, All Rights Reserved.