Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Posted by Unknown on from the gimme-more-or-ill-hack-ur-serverz dept.

Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."

7 of 138 comments (clear)

  1. They must have an exclusive store by viperidaenz · · Score: 5, Funny

    With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"

  2. Re:So . . . by kthreadd · · Score: 5, Funny

    Have you seen the new Yahoo logo?

  3. Re:So . . . by mwvdlee · · Score: 5, Funny

    Surely they sell a T-shirt that reads "I saved Yahoo! public embarrasement, millions of dollars in damages and all I got was this lousy T-shirt".

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re:This is news? by Dexter+Herbivore · · Score: 5, Insightful

    They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy. They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

    Which is exactly why Yahoo should have paid them more. Make the choice less obvious and save themselves a lot of grief further down the line.

  5. Not bad by Anonymous Coward · · Score: 5, Funny

    C'mon. This is WAY better than the Standard Operation Practice: suing them into the ground.

    We're moving forward, it seems.

  6. Re:This is news? by chaboud · · Score: 5, Insightful

    There is no cognitive fault, but instead, a conditioned, and, frankly, dangerous, view of software as protected by legal remedy. This idea has left us with shit software supported by careless organizations propagating paper-thin security already compromised by rafts of governments. A network is a dangerous place, and software and hardware should treat networks like the wild west when it comes to privacy/security.

    On your other point, regarding "protection money," the reasoning is rather simple. People respond to incentives. If hackers have little to no financial reason to disclose a vulnerability to Yahoo, some may be motivated to find other ways to monetize their efforts. Forget legality/morality for a second and just think about incentives. What Yahoo is doing is removing their incentive for responsible disclosure. By providing a T-Shirt voucher, they're probably incentivizing attack by otherwise disinterested parties, just for the middle-finger of it all.

  7. Re:This is news? by Sockatume · · Score: 5, Insightful

    Or paid them nothing. A small material reward is often more insulting than no reward but having done the right thing.

    --
    No kidding!!! What do you say at this point?