Slashdot Mirror
Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt
Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."
When Microsoft lost their Hotmail domain name, some guy snatched it and kindly returned it to Microsoft because he thought it was the right thing to do, to protect Microsoft from their stupidity. Well, Microsoft sent him a personal thank you note and that was all. Yep, the guy could have legally resold the domain for like a billion dollars (wouldn't be the first time.. ahem, live.com) and gotten away with it. All he got was a lousy certificate of gratitude.
Considering the ROI on security bug bounties, they really should have one that just has a Yahoo! logo and the text "I'm with stupid"
Monstar L
After lurking on slashdot for the last 10 years, this post finally got me to set up an account. Woo! It's my ... well, you know.
The hypothesis here is that yahoo didn't pay for the exploits, so obviously grey hats will go to the black market. Further, it's ethically justified because of the slap in the face.
I think if you tell a private company that they have a security problem, and they thank you, you can pat yourself on the back. If you're doing it specifically for money, then don't spend your time on yahoo. I don't think it's ethically justified to specifically look for and sell these exploits on the black market, just because you feel morally righteous about a t-shirt. Where are your hacker ethics?
Even more, you've forgotten that you have a civic responsibility. Recently, I drove past a high tension line on route 1, and noticed that one of the towers was about to fall over. I could see it from the highway, and I'm a nerd, so I'm observant. I told dominion VA power about it, and within a day, they had a crew out to fix it. It potentially saved them millions. I asked for nothing in return and got nothing. By your logic, I should sell the location of the next messed up tower to terrorists so they can destroy a chunk of the power grid. Why on earth would I want to do that? Even if I don't use power from those lines, I almost certainly have friends and family that do.
Same with yahoo. Even if I don't use them, someone I know almost certainly does. Why wouldn't I want to perform a civic duty to protect them?
Again, if they won't pay me, I'm not going to walk the entire length of their lines and function as a free lineman for the power company. I'm also not going to be a dick about it. I'm just going to feel good about myself.