Yahoo has raised the ire of security researchers after handing out a measly $US12.50 each for flaws found in its websites.
Web and software companies offer so-called bug bounties, paying third-party security researchers for flaws they find in their products. Google, for example, regularly pays out bounties in the hundreds or thousands of dollars.
Security firm High-Tech Bridge decided to see how long it would take to find a vulnerability on a well-known site and have it fixed, and how much it would earn.
Last month, it found a cross-site scripting (XSS) vulnerability on a Yahoo marketing site - uncovering the flaw in only 45 minutes of research.
Yahoo, to its credit, responded to the security firm's email report within 24 hours, but said the flaw had already been reported, so no reward was forthcoming.
High-Tech Bridge tried again, finding two more XSS flaws. "Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it," High-Tech said.
This time, Yahoo replied offering a reward: $12.50 for each - not in cash, but in credit at the Yahoo store. "At this point we decided to hold off on further research," the company said.
The firm suggested Yahoo needs to do better to keep security researchers working on its products. "Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price," said Ilia Kolochenko, High-Tech Bridge CEO.
Kolochenko admitted money isn't the only motivation, and suggested Yahoo follow Google's lead by appealing to researchers' egos by offering a public hall of fame. "If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means," Kolochenko said.
Security consultant Graham Cluley agreed, saying money isn't the only way to attract researchers. "Of course, money (and T-shirts) shouldn't be the only motivation for reporting a security vulnerability," said Cluley. "But such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white hats in future."
Yahoo has yet to respond to request for comment.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
