Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo To Offer Bug Bounty Rewards Up To $15,000

Posted by samzenpus on from the pay-me dept.

aesoteric writes "Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities. The web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff."

65 comments

  1. In other news... by Frosty+Piss · · Score: 5, Insightful

    ...The once powerful Yahoo grasps at straws to attract developers back after fucking them over for a few years...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:In other news... by msauve · · Score: 1

      Well, they do have the name right - they're all yahoos. Seriously, is there anything Yahoo! does, which someone else doesn't do much better?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:In other news... by Anonymous Coward · · Score: 0

      Sucking and blowing at the same time?

    3. Re:In other news... by Anonymous Coward · · Score: 0

      Well, they do have the name right - they're all yahoos. Seriously, is there anything Yahoo! does, which someone else doesn't do much better?

      So a company manages to make it BIG back in it's heyday and after all those years manage to stay relevant. That is pretty successful compared with all the dotcom bubble companies that went bust but yahoo didn't. And people like you that never built anything anybody ever heard of, yeah, look how jealous and envyous you are when you see we still talk about them.

      Maybe youre a google or apple fanboy. Microsoft doesn't really have fanboys. Is there anything YOU do which doesn't involve complaining about people more successful than yourself? Ever try saying something useful and constructive? Jeesus no matter who you are somebody somewhere is better at something than you, just get over it!!

    4. Re:In other news... by hutsell · · Score: 1

      ...The once powerful Yahoo grasps at straws to attract developers back after fucking them over for a few years...

      Perhaps even the non-developers — the Yahoo! Yodeler, Wylie Gustafson is one that comes to mind from over a decade ago.

      --
      Yesterday's Weirdness is Tomorrow's Reason Why
    5. Re:In other news... by mechtech256 · · Score: 1

      Yahoo Finance is very good.

    6. Re:In other news... by Anonymous Coward · · Score: 0

      Microsoft doesn't really have fanboys.

      I love Microsoft. I am posting this from my 256 GB Surface Pro and there's a Lumia 920 charging on my desk beside it.

    7. Re:In other news... by Anonymous Coward · · Score: 0

      Microsoft doesn't really have fanboys.

      I love Microsoft. I am posting this from my 256 GB Surface Pro and there's a Lumia 920 charging on my desk beside it.

      Why don't you marry them then? :>)

    8. Re:In other news... by GumphMaster · · Score: 1

      Nope, didgeridoo players and even Kenny G beat them hands down on this: Circular breathing

      --
      Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
    9. Re:In other news... by Anonymous Coward · · Score: 0

      i got a CAD certificate at CCSF and another student in the program was a yahoo employee (programmer)

    10. Re: In other news... by Anonymous Coward · · Score: 1

      Go home Ballmer. You are drunk. And fired.

    11. Re:In other news... by Anonymous Coward · · Score: 0

      In the days of US slavery, a slave wasn't human -- a slave was property, with no more rights, feelings, intelligence, than a horse or a dog or any other work animal. If I were black I'd want to beat the shit out of you.

      Now, would someone put VortexCortex's offensive, racist, offtopic troll down to -1 where it belongs? Thanking you in advance. VC, expect modbombings from pissed off black people. Forget to hit the "post anonymously" button, troll?

      After modding him down, please do the same to me. This bullshit is a distraction, especially so close to the top of the comments.

    12. Re:In other news... by Anonymous Coward · · Score: 0

      IME it seems to be perfectly acceptable between blacks o.w. they(mostly) take offense when a non-black uses it...

    13. Re:In other news... by tripleevenfall · · Score: 1

      Well, actually from 1787 they were 3/5ths of a human.

      I don't think the word has any place in polite usage, but the is the internet.

    14. Re:In other news... by Anonymous Coward · · Score: 0

      Well, actually from 1787 they were 3/5ths of a human.

      I don't think the word has any place in polite usage, but the is the internet.

      No, they did not count as 3/5 of a human. They were slaves. For every slave a state had, it would be granted the equivalent of 3/5 of a headcount to determine the number of representatives they got in the House. The slave itself had no legally recognized rights - the owner could beat, rape and execute the slave and face only the price to replace that slave, even if it wasn't their own slave. You owner might be nice, but that drunk down the road could rape your "wife", kill your kids and suffer no legal punishment beyond a fine. If you then gave him a dirty look for his actions, he could have you beaten, or kill you and just pay another fine.

  2. But... by Freshly+Exhumed · · Score: 1

    Do you still get the T-shirt?

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:But... by Anonymous Coward · · Score: 0

      They've been giving away tshirts for 10 years, long before he joined (check LinkedIn). That part of his story strikes me as BS.

    2. Re:But... by Anonymous Coward · · Score: 0

      Judging by his UID that nick was created well over a decade ago so GP should be close to 30 by now.

  3. Bugs? by Anonymous Coward · · Score: 0

    Here is a bug, if you manually remove the fucking IE Yahoo toolbar with autoruns or any other app, than remove the Yahoo toolbar from programs and features or add and remove programs, it pins one cpu core at 50 percent and does nothing. Someone please fix that shit.

    1. Re:Bugs? by Anonymous Coward · · Score: 1

      You still use both IE and Yahoo? How quaint...

    2. Re:Bugs? by Anonymous Coward · · Score: 0

      It's the only way to keep my Bonzi Buddy around.

    3. Re:Bugs? by Lunix+Nutcase · · Score: 1

      What about the comet cursors?

    4. Re:Bugs? by Anonymous Coward · · Score: 0

      He uses a yahoo TOOLBAR??? How fucking RETARDED.

  4. Definition of Scrooge by snero3 · · Score: 2

    the web giant also said the voucher rewards were informal and actually funded out of the pockets of the company's own IT security staff

    I don't know how many tshirts they gave out, but I am lead to believe it wasn't many. If someone freely out of their own good will helps you out, at your job! and you can only manage pony up $12.50 that is just an insult, I personally would prefer just a email of thanks than that!! Hell a case of beer maybe!!

    I beat these guys aren't first in line to order a round on Friday night

    --
    It said "windows 98 or better" so I installed Linux
    1. Re:Definition of Scrooge by Anonymous Coward · · Score: 0

      $12.50 could be used to buy a six pack of beer, no?

    2. Re:Definition of Scrooge by Lunix+Nutcase · · Score: 1

      The Yahoo store sells six packs of beer?

    3. Re:Definition of Scrooge by Anonymous Coward · · Score: 0

      Psychologically it's a different thing. Giving someone a small sum of raw cash instead of a gift worth about the same is generally considered crass.

      That's why people come up with things like gift vouchers and "ang pows" (another of the great Chinese inventions). It's still crass but it's better insulated crassness ;).

    4. Re:Definition of Scrooge by jiriw · · Score: 2

      I don't know...

      Yes, someone did notify you of something you probably didn't realise yet. And it might have become a problem for the company later on... if the wrong people found out just that. That person did it freely and out of his/her own good but it doesn't necessarily makes your job easier (maybe even harder because now you have to solve this while there are already enough other problems on your plate). It won't reduce your workload... your employer has enough other things for you to do... it won't get you to that pub a minute earlier than your employer allows you to leave for the weekend (and that might be even later now). You won't tell that to the person who made that bug report 'tough. You're glad there are people actively want to involve themselves in the security of the product you're proud to work on even 'though they do it without prospect of financial gain.
      As a small thank you, you send the person a gift certificate paid from your own money, effectively saying 'Here is an hour of my time in wage. Please spend it on something you like to' (give or take... My reference is my current hourly wage, after taxes, as an IT professional, which is a little more, but not much).

      Of course there is nothing wrong with a proper reward program, financed by the actual company. If these bugs take at least some skills and resources to track, and are that valuable it would be rather cheap for a company not to have one. That having said, a pay check for services rendered from a company is totally different from an employee paying you a small token out of his/her own pocket while the direct value for that employee is, at least, questionable.

    5. Re:Definition of Scrooge by pla · · Score: 1

      Psychologically it's a different thing. Giving someone a small sum of raw cash instead of a gift worth about the same is generally considered crass.

      Only because we expect the humans giving us gifts to know us well enough to make it a bit more personal. In contrast, I want Yahoo to know as little about me as possible. They can send me $12.50 in BTC to an anonymous address, for all I care about how they reward people.

      Uncle Tony writing a $12.50 check: Crass. Yahoo writing a $12.50 check: Insultingly cheap, but otherwise okay.

  5. Good luck getting paid by Anonymous Coward · · Score: 0

    We've seen this time and time again. Corporations offer a bounty but quickly find some excuse not to pay it when someone actually finds a bug. Whether it's a selective interpretation of the bounty "agreement", or a technicality in the definition of the word "bounty", they *will* find some excuse not to pay.

    1. Re:Good luck getting paid by muphin · · Score: 3, Interesting

      that's counter productive, hiring a full time developer to scour the site for bugs would costs hundreds of thousands, and here we have people with the skill after a small amount. Also if the people doing the pen-testing get fucked over they just release the exploit and move onto a site that appreciates their time

      --
      It's not a typo if you understood the meaning!
    2. Re:Good luck getting paid by Anonymous Coward · · Score: 0

      If they pissed off someone enough, that person could turn it around and sell it to places that pays for 0 day exploits for loads of $$$.

  6. Undestroy by XB-70 · · Score: 2

    The Undestroy button is not working. The fix is to re-establish the chat rooms, clear the clutter from Yahoo! Messenger, make mail actually function at a reasonable speed and eliminate the mindless Hollywood crap from the main page. I'd like my $$$ now, please.

    --
    *** Don't be dull.***
    1. Re:Undestroy by Anonymous Coward · · Score: 0

      If only the kardashians were the least of the people's concern, their mind-numbing left-wing agenda is beyond grotesque. The simple fact that a story about someone saving a kitten can turn into a pro left-wing article leaves much to say about that company. Thankfully, Yahoo answered their loyal viewers once and only once by firing Chris Chase last year after years of complaints. But hey, if too many people complain in the comments about something, Yahoo will just delete the article and re-publish it, possibly disabling the comments at the same time.

  7. Talk about your risk by djupedal · · Score: 1

    Not taking anything that comes out of an IT staffer's pocket, thanks just the same.

  8. QA help by Anonymous Coward · · Score: 0

    At least they will get some QA help by offering real money. For example, when I log in to my.yahoo.com I either get weather for my home town, or New York, which I've never been to. There is lots of wasted space on some of the newly designed web pages. And I've also seen sport times listed at different times on the same page, more then 3 hours off, so not a ET/PT thing.

    And too much hollywood. It seems like they are trying to turn themselves into an entertainment site, not a news and search site.
    bah

  9. A modest bug bounty proposal by TheloniousToady · · Score: 2

    I've had a couple of friends whose Yahoo email contacts, including me, got sent spams which were crafted to appear as though the spam was from the friend. The spams contained links presumed to be armed and dangerous. I wonder if Yahoo has a bug bounty for that one? Heck, I'd chip in ten bucks myself if somebody would fix that.

  10. up to by Anonymous Coward · · Score: 0

    starting and most likely ending with a tshirt ... but theoretically up to 15k

  11. Found one by PPH · · Score: 1

    Its big, about the diameter of a silver dollar. Six legs, shiny black body, big pincers and semi transparent wings. Its sitting on cowboyneal's head.

    --
    Have gnu, will travel.
  12. Yahoo IS a bug! by Anonymous Coward · · Score: 0

    Yahoo! won't survive another decade. It is a mess. All of its websites and "services" are a complete mess. You never really know what part you are logged into or what you are doing on it. It gives me a headache to look at anything Yahoo! outputs. It is always a releif to close a tab containing anything Yahoo! Like a sudden pressure being released from the backs of your eyeballs.

    1. Re: Yahoo IS a bug! by Anonymous Coward · · Score: 0

      Yahoo.is not.only a bug the fucking shithole is ran by an overpaid toothpaste model who whores herself out to the nsa. No one in their right mind.would yse them for anything

  13. Re:Penetration testing? by VortexCortex · · Score: 0

    Don't worry about testing--your mom checked out great last night.

    Dude? Seriously? You penetration tested mom? Uh, I don't mean to be a downer, but I hope you used a Trojan... If not, you should get tested for viruses.

  14. What about labor laws? by Joe_Dragon · · Score: 1

    Some one may just say they did work and did not get paid and there is a full list of other stuff to come out let's say some works there and tells a friend about bugs they know about so that friend can get paid to tell them about it? OR even that is the way to get past the PHB.

  15. Re:Penetration testing? by VortexCortex · · Score: 0

    We have an open relationship.

  16. Damage Control by SeaFox · · Score: 2

    Yahoo is set to launch its first formal bug bounty system after Swiss pen testers complained about the $12.50 vouchers offered for locating XSS vulnerabilities

    In other words, Yahoo realized since word got around how lame their rewards were for reporting security vulnerabilities people were more likely to start looking to see how much more they could get selling them to the bad guys instead.

  17. C'mon Now... by flyneye · · Score: 1

    Hey, $15,000 will keep you in t-shirts and coffee mugs for life!

    --
    *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
  18. "Up to" - marketing magic by wonkey_monkey · · Score: 1

    I don't know what everyone's complaining about. $12.50 comes under "Up To $15,000," and I'll give up to $1,000,000 to anyone can prove me wrong!

    --
    systemd is Roko's Basilisk.
    1. Re:"Up to" - marketing magic by La+Gris · · Score: 1

      There is no wrong in your statement about $12.50 comes under "Up To $15,000,";
      So there is no circunstance where you would give me up to $1,000,000 in correllation to proving you wrong on the above.
      This is where I could prove you wrong.
      But giving me up to $1.000.000 for proving you wrong would prove you right.

      Finally, the only possible income of all this. is:
      - You have to give me more than $1.000.000 for, proving you are wrong on advertising a reward to an impossible circunstance.
      - And the reward has to be more than your "up-to" to save your wrongness or it would cancel itself.

      --
      Léa Gris
  19. Commend the Out of Pocket Expense by Kookus · · Score: 1

    That also just lowers the credibility of Yahoo. They have to have their own employees pay for things in order to operate... Sounds like a startup.

  20. So we can expect... by pla · · Score: 1

    So if Yahoo's recent history means anything, we can expect that the first bug bounty will pay 2 million dollars, which Marissa will claim for finding a font the wrong color, then she will immediately order the program ended for nebulous "abuses"?

    Of course, that would still sound better than giving out an insulting coupon for company swag. ;)

  21. All I got... by bil_hendrix · · Score: 1

    What's on the t-shirt? Suggestion: "I submitted a bug report to Yahoo and all I got was this lousy t-shirt"

  22. This is actually worse. by intermodal · · Score: 1

    Before, it was Yahoo being cheap. Now it's Yahoo also screwing their own staff.

    --
    In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
  23. I like the... by Anonymous Coward · · Score: 0

    up to 15K. That is kind of like my ISP "Up to 50 Mbs Speeds"
    Yeah, no. I had a 56K modem that would run faster sometimes.
    Just give me the t-shirt and stop blowing smoke.

  24. Cobra Effect by Anonymous Coward · · Score: 0

    bounties and incentives in culture, biology, and government can be bad enough (http://freakonomics.com/2012/10/11/the-cobra-effect-a-new-freakonomics-radio-podcast/), but now in SOFTWARE? This could end up being the most dangerous experiment since the Trinity detonation.

  25. I swear I thought I saw... by unitron · · Score: 1

    ..."Yahoo To Offer Bugs Bunny Rewards Up To $15,000"

    Darn floaters.

    --

    I see even classic Slashdot is now pretty much unusable on dial up anymore.