Thursday, 3 October 2013

Yahoo slammed for paltry $12.50 reward vouchers for security flaw finds

Yahoo offers a range of merchandise including this fetching cap for five dollars
White hats get paid in purple caps for public service
Security researchers who uncovered multiple hazardous security glitches relating to Yahoo's various websites were paid a measly $12.50 for each of their efforts. In an added twist, the reward was only available as a Yahoo discount code instead of cash.
High-Tech Bridge, which carried out the research, found four XSS vulnerabilities in Yahoo's Ecom and Ad Server domains. The bugs left users open to attack if a third party created a URL that linked to a malicious piece of JavaScript.
High-Tech Bridge reported four flaws to Yahoo, as recommended on the firm's security pages. In response, Yahoo sent the hackers a gift certificate for $25 to be used in Yahoo's online store, which sells a range of Yahoo-branded products including hats, mugs and iPhone cases. The reward was for two flaws, while Yahoo said one other bug had already been found by another user and the fourth received no response.
High-Tech Bridge says all four problems it reported to Yahoo have since been fixed. However, in protest it has abandoned its efforts to find more flaws in Yahoo's services. Ilia Kolochenko, High-Tech Bridge CEO, said the firm should revise its policies, which currently appear to be a "bad joke" and will not motivate the security community.
"Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.
He said the company could at least consider other methods to reward security researchers:
"Money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed," he said.
"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.“
"Yahoo does not publicly say it offers bounty reward for the security community, but nonetheless the money paid does not compare well to Facebook's bounty reward programme, which pays a minimum of $500 for successful reports."
In June, Facebook shelled out $20,000 to a hacker who spotted a serious flaw, which could have left accounts open to hijacking. 
Brian Martin, president of the Open Security Foundation, said the incident proved that vendors and websites should take community security reports more seriously. "Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organisation, and more importantly their customers," he stated.
"Even Microsoft, which was the most notorious hold-out on bug bounty programs realised the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass its security mechanisms. Other companies should follow its example and realise that a simple 'hall of fame' credit to buy the vendor's products, or a pittance in cash is not conducive to researcher co-operation."