Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."

This is news?

They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy.
  They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

Re:This is news?

[Dexter+Herbivore]

They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy. They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

Which is exactly why Yahoo should have paid them more. Make the choice less obvious and save themselves a lot of grief further down the line.

Re:This is news?

[rapiddescent]

at my local OWASP chapter meeting some months ago, we did a show of hands about how many people had reported via the pay-for-security-bug middlemen organisations rather than contacting the vendor/website directly. About 30% put their hands up. I was quite astounded although, having been threatened legally myself when I was called in a bug found on an eComm website then I would no longer go directly to the owner of the system unless I had a contract in place already. The money is apparently quite good; so long as you don't care who is using the bug...

Re:This is news?

[Joining+Yet+Again]

Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."

This is mafia reasoning, and it's shameful that geeks are increasingly engaging in this sort of argument.

Guess what? I can also break into most people's houses and nick their stuff without getting caught. They have ground floor windows, old doors, &c. That doesn't mean they owe me anything for NOT doing that, nor for sending them unsolicited notices that it would be easy to take their stuff. Indeed, English law at least is comfortable with the idea that you never owe anything for unsolicited work, even if it's beneficial. No one was making these "hackers" do the work - they were either bored or wanted the notoriety.

Re:This is news?

[chaboud]

There is no cognitive fault, but instead, a conditioned, and, frankly, dangerous, view of software as protected by legal remedy. This idea has left us with shit software supported by careless organizations propagating paper-thin security already compromised by rafts of governments. A network is a dangerous place, and software and hardware should treat networks like the wild west when it comes to privacy/security.

On your other point, regarding "protection money," the reasoning is rather simple. People respond to incentives. If hackers have little to no financial reason to disclose a vulnerability to Yahoo, some may be motivated to find other ways to monetize their efforts. Forget legality/morality for a second and just think about incentives. What Yahoo is doing is removing their incentive for responsible disclosure. By providing a T-Shirt voucher, they're probably incentivizing attack by otherwise disinterested parties, just for the middle-finger of it all.

Re:This is news?

[AmiMoJo]

I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.

The internet doesn't have cops, but it does have criminals. Fortunately there are good guys who are willing to report flaws when they see them. Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested. Bug bounties make it clear that the company sees reporting as a valuable service and intends to act swiftly on reported problems.

Bug bounties also encourage people to look for issues from the outside, which is apparently quite valuable since the people on the inside seem to miss them quite often.

Companies should pay bug bounties when the issue is security, not as a kind of protection money but as a way of saying they take security seriously and wish to reward those who help them with it.

Re:This is news?

[Joining+Yet+Again]

Forget legality/morality for a second

No, that's an awful idea.

and just think about incentives.

My incentive is that I build a better society through responsible disclosure. Morality helps me reach that conclusion.

Re:This is news?

[Sockatume]

Or paid them nothing. A small material reward is often more insulting than no reward but having done the right thing.

Re:This is news?

[CODiNE]

When a diner doesn't leave a tip the waiter can reason "Maybe they forgot".

Now when the diner leaves a nickel on the table....

Re:This is news?

[6Yankee]

Absolutely.

When I worked in McJail, the grease trap exploded on one of my night shifts. BLAM! Couldn't use the sinks, and (once it had all rained back down from the ceiling and flowed down the walls) the back-room was ankle deep in nasty. In order to get the place ship-shape for the morning, I took all the dirty equipment to the local gas station and jet-washed it on my own dime, after rolling in the grease trying to unblock the pipe with my bare hands. While the other two put the rest of the store in order and went home, I was still there three hours after the end of my shift, cleaning up the mess as fast as it could drip from my body.

The store manager gave me a warm and heart-felt thank-you, although she had the good sense to refrain from shaking my hand. Then she gave me a present. It was the free plastic pen that the plumber had given her.

From there on in, every time I was tempted to go above and beyond the call of duty, I thought of that pen. That was ten years ago, and I still have it somewhere as a reminder.

Re:This is news?

[VortexCortex]

Worse than a nickel... They left vouchers for Tee-shirts advertising their shitty website -- Folks for advertizing, so it was actually a negative tip.

Re: Why do people still do this anymore?

Sell them.

Re:So . . .

[buchner.johannes]

At least Yahoo! thanked them explicitly and didn't threaten to sue them.

Re:So . . .

[Sun]

If you contacted me and reported a bug in fakeroot-ng or rsyncrypto, I'd fix it. I'd do it for free. I'll say "thank you" for reporting it.

If you contacted me with the precise same bug, and offered to pay me $1000 to fix it, I'd take your money and fix it as soon as I could, because I believe it is okay for FOSS developers to make money from their work.

If you contacted me and offered to pay me $10, I'd probably be offended.* If you can't afford to pay me a reasonable fee for my time, then ask me nicely to volunteer it. Do not, however, presume to pay me an unreasonable fee for it. There are things I'd happily do for free that I will simply refuse to do for a reward that is demeaning.

Shachar

* - If you waited for me to fix it, and then contributed $10 to my pay pal account, I'd not only say "thank you", I'd even happily tell everyone I know that someone did it. $10 makes for a lousy paycheck, but it's a perfectly reasonable donation.