Today more and more companies are looking for external security researchers to help identify vulnerabilities and weaknesses in their applications through Bug Bounty Programs. While companies like Facebook and Google are paying out hundreds of dollars to researchers for reporting security vulnerabilities, But according to Yahoo! Your email's security worth only $12.50 !
Yahoo is not having very good run in the reputation department when it comes to user security. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo’s reward.
They pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains and in return they received $12.50 bounties for each vulnerability they found. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate T-shirts, cups, pens and other accessories.
This isn’t exactly a great reward for spending time reporting security vulnerabilities, and therefore doesn’t encourage researchers to spend time doing so for Yahoo! Services.
Ilia Kolochenko, High-Tech Bridge CEO, says: “Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers."
"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
All of the vulnerabilities have since been patched by Yahoo and they responded, "Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future."