The Hacker News Logo
Subscribe to Newsletter

Yahoo! discourages Security Researchers with just $12.50 bug bounty for vulnerability reporting

Today more and more companies are looking for external security researchers to help identify vulnerabilities and weaknesses in their applications through Bug Bounty Programs. While companies like Facebook and Google are paying out hundreds of dollars to researchers for reporting security vulnerabilities, But according to Yahoo! Your email's security worth only $12.50 !

Yahoo is not having very good run in the reputation department when it comes to user security. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo’s reward.

They pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains and in return they received $12.50 bounties for each vulnerability they found. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate T-shirts, cups, pens and other accessories.
This isn’t exactly a great reward for spending time reporting security vulnerabilities, and therefore doesn’t encourage researchers to spend time doing so for Yahoo! Services.


Ilia Kolochenko, High-Tech Bridge CEO, says: “Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers."

"If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

All of the vulnerabilities have since been patched by Yahoo and they responded, "Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future."

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.