14 DAY TRIAL // Security researchers from High-Tech Bridge have identified three cross-site scripting (XSS) vulnerabilities on Yahoo domains. For their effort, the company has rewarded them with $12.5 (€9) for each of the issues.
Major companies have started realizing that the only way they can make sure their services are secure is by launching bug bounty programs that reward security researchers for finding vulnerabilities.
Yahoo is one of those companies. However, unlike other major players, such as Facebook and Google, the rewards they hand out are far smaller.
In mid-September, High-Tech Bridge decided to perform a little experiment to find out how major companies responded to vulnerability notifications.
The first XSS vulnerability they found was on the marketingsolutions.yahoo.com domain. Yahoo confirmed its existence in less than 24 hours, but claimed that others had reported it sooner.
Later, three additional XSS flaws were uncovered in ecom.yahoo.com and adserver.yahoo.com and reported to Yahoo.
According to High-Tech Bridge, the security holes could have been exploited by hackers to compromise email accounts simply by tricking a logged-in user to click on a specially crafted link.
By September 30, when the researchers published the results of their findings, all the issues they uncovered were fixed. However, they didn’t get much of a reward – $12.5 (€9) for each of the vulnerabilities, money that could only be spent on the Yahoo Company Store.
“Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price,” High-Tech Bridge CEO Ilia Kolochenko noted.
The expert states that even if Yahoo doesn’t afford to hand out considerable financial rewards, the company should at least try to attract researchers by other means.
Brian Martin, president of Open Security Foundation, notes that companies should make an effort to appreciate the value of a bug bounty program.
“Some of these companies pay their janitors more money to clean their offices, than they do security researchers finding vulnerabilities that may put thousands of their customers at risk,” he said.