Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Posted by Unknown on from the gimme-more-or-ill-hack-ur-serverz dept.

Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."

31 of 138 comments (clear)

  1. This is news? by Anonymous Coward · · Score: 4, Insightful

    They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy.
      They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

    1. Re:This is news? by Dexter+Herbivore · · Score: 5, Insightful

      They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy. They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

      Which is exactly why Yahoo should have paid them more. Make the choice less obvious and save themselves a lot of grief further down the line.

    2. Re:This is news? by rapiddescent · · Score: 3, Insightful

      at my local OWASP chapter meeting some months ago, we did a show of hands about how many people had reported via the pay-for-security-bug middlemen organisations rather than contacting the vendor/website directly. About 30% put their hands up. I was quite astounded although, having been threatened legally myself when I was called in a bug found on an eComm website then I would no longer go directly to the owner of the system unless I had a contract in place already. The money is apparently quite good; so long as you don't care who is using the bug...

    3. Re:This is news? by Joining+Yet+Again · · Score: 3, Insightful

      Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."

      This is mafia reasoning, and it's shameful that geeks are increasingly engaging in this sort of argument.

      Guess what? I can also break into most people's houses and nick their stuff without getting caught. They have ground floor windows, old doors, &c. That doesn't mean they owe me anything for NOT doing that, nor for sending them unsolicited notices that it would be easy to take their stuff. Indeed, English law at least is comfortable with the idea that you never owe anything for unsolicited work, even if it's beneficial. No one was making these "hackers" do the work - they were either bored or wanted the notoriety.

    4. Re:This is news? by Joining+Yet+Again · · Score: 2

      I'm not sure what cognitive fault causes people to blame the victim, but it seems like a common thought process.

      Yes, companies should take more care with data (or, more widely, people should stop putting their data in the hands of random private businesses).

      No, that doesn't mean it's their fault when someone malicious takes the data.

      No, protection money is never an acceptable demand.

    5. Re:This is news? by chaboud · · Score: 5, Insightful

      There is no cognitive fault, but instead, a conditioned, and, frankly, dangerous, view of software as protected by legal remedy. This idea has left us with shit software supported by careless organizations propagating paper-thin security already compromised by rafts of governments. A network is a dangerous place, and software and hardware should treat networks like the wild west when it comes to privacy/security.

      On your other point, regarding "protection money," the reasoning is rather simple. People respond to incentives. If hackers have little to no financial reason to disclose a vulnerability to Yahoo, some may be motivated to find other ways to monetize their efforts. Forget legality/morality for a second and just think about incentives. What Yahoo is doing is removing their incentive for responsible disclosure. By providing a T-Shirt voucher, they're probably incentivizing attack by otherwise disinterested parties, just for the middle-finger of it all.

    6. Re:This is news? by AmiMoJo · · Score: 4, Insightful

      I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.

      The internet doesn't have cops, but it does have criminals. Fortunately there are good guys who are willing to report flaws when they see them. Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested. Bug bounties make it clear that the company sees reporting as a valuable service and intends to act swiftly on reported problems.

      Bug bounties also encourage people to look for issues from the outside, which is apparently quite valuable since the people on the inside seem to miss them quite often.

      Companies should pay bug bounties when the issue is security, not as a kind of protection money but as a way of saying they take security seriously and wish to reward those who help them with it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:This is news? by Sockatume · · Score: 5, Insightful

      Or paid them nothing. A small material reward is often more insulting than no reward but having done the right thing.

      --
      No kidding!!! What do you say at this point?
    8. Re:This is news? by Lumpy · · Score: 2, Informative

      "I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service."

      What utopia is that that you live in? Because here in the USA they do not do this at all. The police advice to me is, "do not own a weapon, in the case of a home invasion hide under your bed and call the police. Do not fortify your doors and windows as that is a crime."

      Yes, Fortification of doors and windows in the USA is a CRIME. It makes it harder for cops to raid your home if they need to.

      --
      Do not look at laser with remaining good eye.
    9. Re:This is news? by war4peace · · Score: 2

      Think of it from another angle.
      The money incentive is good enough of a reason to start researching. It's a matter of choice. between companies A, B and C, where A definitely offers a reward, B "might" offer you something crappy and C gives you the finger or even worse, sues you, WHAT would you choose? It's equally moral to research for all the above companies, and equally moral to provide them the results; I agree with that. But then, once the moral equality exists, you look at other parts of the deal, and pick the best one.

      THAT is where Yahoo loses.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    10. Re:This is news? by CODiNE · · Score: 4, Insightful

      When a diner doesn't leave a tip the waiter can reason "Maybe they forgot".

      Now when the diner leaves a nickel on the table....

      --
      Cwm, fjord-bank glyphs vext quiz
    11. Re:This is news? by 6Yankee · · Score: 4, Insightful

      Absolutely.

      When I worked in McJail, the grease trap exploded on one of my night shifts. BLAM! Couldn't use the sinks, and (once it had all rained back down from the ceiling and flowed down the walls) the back-room was ankle deep in nasty. In order to get the place ship-shape for the morning, I took all the dirty equipment to the local gas station and jet-washed it on my own dime, after rolling in the grease trying to unblock the pipe with my bare hands. While the other two put the rest of the store in order and went home, I was still there three hours after the end of my shift, cleaning up the mess as fast as it could drip from my body.

      The store manager gave me a warm and heart-felt thank-you, although she had the good sense to refrain from shaking my hand. Then she gave me a present. It was the free plastic pen that the plumber had given her.

      From there on in, every time I was tempted to go above and beyond the call of duty, I thought of that pen. That was ten years ago, and I still have it somewhere as a reminder.

    12. Re:This is news? by VortexCortex · · Score: 3, Insightful

      Worse than a nickel... They left vouchers for Tee-shirts advertising their shitty website -- Folks for advertizing, so it was actually a negative tip.

  2. They must have an exclusive store by viperidaenz · · Score: 5, Funny

    With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"

    1. Re:They must have an exclusive store by antifoidulus · · Score: 3, Interesting

      Considering the ROI on security bug bounties, they really should have one that just has a Yahoo! logo and the text "I'm with stupid"

      --
      Monstar L
  3. Re:So . . . by kthreadd · · Score: 5, Funny

    Have you seen the new Yahoo logo?

  4. Re:So . . . by mwvdlee · · Score: 5, Funny

    Surely they sell a T-shirt that reads "I saved Yahoo! public embarrasement, millions of dollars in damages and all I got was this lousy T-shirt".

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  5. Re:So . . . by Anonymous Coward · · Score: 3, Funny

    There weren't any in XXL.

  6. Better than Microsoft (rember this story?) by Anonymous Coward · · Score: 3, Interesting

    When Microsoft lost their Hotmail domain name, some guy snatched it and kindly returned it to Microsoft because he thought it was the right thing to do, to protect Microsoft from their stupidity. Well, Microsoft sent him a personal thank you note and that was all. Yep, the guy could have legally resold the domain for like a billion dollars (wouldn't be the first time.. ahem, live.com) and gotten away with it. All he got was a lousy certificate of gratitude.

    1. Re:Better than Microsoft (rember this story?) by Anonymous Coward · · Score: 3, Informative

      You mean this guy who got a cheque for $500 and a bunch of software for a problem that took him 2 minutes and $35 to address?

  7. Not bad by Anonymous Coward · · Score: 5, Funny

    C'mon. This is WAY better than the Standard Operation Practice: suing them into the ground.

    We're moving forward, it seems.

  8. Re:Why do people still do this anymore? by Anonymous Coward · · Score: 3, Informative

    Which part of "Forty-eight hours later, Yahoo had patched all of the vulnerabilities" did you miss?

    If you want to object here, then get that tinfoil hat straight and get some sharper Occam's razor.

    Seriously, if you think "bug reported to Yahoo -> NSA demands it from Yahoo -> NSA quickly uses it to hack Yahoo's accounts in 2 days -> Yahoo patches it" is realistic, then you should realize that "NSA demands access to Yahoo accounts -> NSA leisurely browses through all Yahoo accounts they want" would be much more plausible.

    FFS, learn the fucking difference between software on your PC and web services at least. In the latter case, govt spooks won't need any vulnerabilities if it comes to that - they can just come with a subpoena/NSL/whatever.

  9. Re:So . . . by squiggleslash · · Score: 4, Funny

    I know, at least Yahoo! didn't insult them by offering them a job at Yahoo! or something...

    --
    You are not alone. This is not normal. None of this is normal.
  10. Re:So . . . by buchner.johannes · · Score: 4, Insightful

    At least Yahoo! thanked them explicitly and didn't threaten to sue them.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  11. Better to give nothing by istartedi · · Score: 2

    Wow. That's all kind of fail. It would be better for Yahoo to state as a matter of policy that they don't pay bounties. You might disagree with that; but at least you'd respect it. What they did instead is the equivalent of leaving a nickel tip at a restaurant. Giving nothing makes you look cheap, careless or unaware of tipping customs. Giving the nickel says, "yes, I know I should tip, here's what I think you're worth".

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  12. Re:So . . . by hairyfeet · · Score: 4, Informative

    The problem is that Yahoo just sent out a message to every grey hat, letting them know "if you want anything other than a T-Shirt talk to the metasploit guys" and ya know what? they will. Its not just about the money, its about respect. A t-shirt is the kind of prize you get from some DJ standing on a street corner NOT what you get for saving a company endless bad press and possible millions in pissed off users.

    Of course the real bitch isn't just the XSS, its when you mix that with an insecure browser you get a real perfect shitstorm. See my journal for what I labeled the "Yahoo porn bug" a couple years back, if you take Yahoo and ONLY Yahoo, didn't see this with either Gmail nor Live mail, and Firefox which again ONLY FF, not any of the Chromium or Webkit browsers nor Opera nor IE, put them together and what do you get? you get the ability for spammers to be able to spam entire address books without having any real access at all. They do this by using the fact that FF runs at the same permission levels as the user (which is retarded but Moz refuses to fix, Chromium had the ability to run below user permission more than 6 years ago) and with a hidden iFrame and using the FF auto login (or even just a still valid cookie) they could have access to the entire address book without having to break into the account or even send a drop of data back to themselves.

    So as I've been saying for a few years now yahoo really needs to get their shit together, its entirely too easy to use Yahoo email addresses for spamming. The same can be said of Moz, I no longer include any gecko based browsers specifically because they refuse to add low rights mode. Bad security practices are bad practices and insulting those that find bugs by giving them a lousy $12.50 t-shirt? They have made sure the next bug found by a grey hat will only be found out by Yahoo when they are getting pwned.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  13. Re:Quit whining. by Provocateur · · Score: 2

    The vouchers are traceable. The REAL reward is coming AFTER the winner or researcher tries to claim it or use it at the store. Supply your own ending e.g. Congratulations, here's your new office...

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  14. Re:So . . . by gr33n_lant3rn · · Score: 3, Interesting

    After lurking on slashdot for the last 10 years, this post finally got me to set up an account. Woo! It's my ... well, you know. The hypothesis here is that yahoo didn't pay for the exploits, so obviously grey hats will go to the black market. Further, it's ethically justified because of the slap in the face. I think if you tell a private company that they have a security problem, and they thank you, you can pat yourself on the back. If you're doing it specifically for money, then don't spend your time on yahoo. I don't think it's ethically justified to specifically look for and sell these exploits on the black market, just because you feel morally righteous about a t-shirt. Where are your hacker ethics? Even more, you've forgotten that you have a civic responsibility. Recently, I drove past a high tension line on route 1, and noticed that one of the towers was about to fall over. I could see it from the highway, and I'm a nerd, so I'm observant. I told dominion VA power about it, and within a day, they had a crew out to fix it. It potentially saved them millions. I asked for nothing in return and got nothing. By your logic, I should sell the location of the next messed up tower to terrorists so they can destroy a chunk of the power grid. Why on earth would I want to do that? Even if I don't use power from those lines, I almost certainly have friends and family that do. Same with yahoo. Even if I don't use them, someone I know almost certainly does. Why wouldn't I want to perform a civic duty to protect them? Again, if they won't pay me, I'm not going to walk the entire length of their lines and function as a free lineman for the power company. I'm also not going to be a dick about it. I'm just going to feel good about myself.

  15. Re:So . . . by HiThere · · Score: 2

    Put it this way:
    If folks despise a company, some who would otherwise help them will decline to, and others who would otherwise ignore them will act to harm them. Perhaps you don't think people *should* act that way, but they *do*. And I'm not at all certain that this isn't reasonable. I tend to help my friends in preference to helping strangers, and I'd be quite reluctant to help someone who had spit in my face. That I wouldn't give him a faceful of knuckles says more about my being a rather passive person than about what I think is a reasonable reaction.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  16. Re:So . . . by MysteriousPreacher · · Score: 3, Funny

    Recycling email addresses is a great time saver. It saved me the hassle of getting myself on spam and porn lists. If not for Yahoo's decision my grandmother would never have discovered the delights of European bestiality. It also meant I didn't have to go making accounts on other services, as I just waiting for newsletters and other mailings to come through so I could use them to reset the passwords of the prior owner.

    Top notch idea! I wish Yahoo would make a computer. I know they'd add useful features, such as the "decrypt hard drive" button on the back for those awkward moments when someone has files I really need to see.

    --
    -- Using the preview button since 2005
  17. Re:So . . . by Sun · · Score: 3, Insightful

    If you contacted me and reported a bug in fakeroot-ng or rsyncrypto, I'd fix it. I'd do it for free. I'll say "thank you" for reporting it.

    If you contacted me with the precise same bug, and offered to pay me $1000 to fix it, I'd take your money and fix it as soon as I could, because I believe it is okay for FOSS developers to make money from their work.

    If you contacted me and offered to pay me $10, I'd probably be offended.* If you can't afford to pay me a reasonable fee for my time, then ask me nicely to volunteer it. Do not, however, presume to pay me an unreasonable fee for it. There are things I'd happily do for free that I will simply refuse to do for a reward that is demeaning.

    Shachar

    * - If you waited for me to fix it, and then contributed $10 to my pay pal account, I'd not only say "thank you", I'd even happily tell everyone I know that someone did it. $10 makes for a lousy paycheck, but it's a perfectly reasonable donation.