Security researchers have revealed that Yahoo pays out peltry $12.50 for each cross-site scripting (XSS) flaw that is discovered on one of its domains, no matter how dangerous they can be if exploited in the wild.
High-Tech Bridge, carried out an experiment to check how long does it take to find security vulnerabilities on well-known sites and how does a company of Yahoo’s stature respond to a vulnerability notification?
According to their researchers, they were successful in finding as many as four XSS vulnerabilities on Yahoo domains including marketingsolutions.yahoo.com, ecom.yahoo.com and adserver.yahoo.com. The bugs found during the research had the capability of compromising the account of any user with a @yahoo.com account just by sending a “sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it.”
High-Tech Bridge sent out all four vulnerabilities as per Yahoo’s recommendations. The Internet company rejected the first flaw saying that someone else has already reported the flaw. For the next two flaws, Yahoo handed out a gift certificate for $25 ($12.50 for each XSS flaw), which can only be redeemed at company’s online store. No response has been received for the fourth flaw yet.
“…this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories” notes High-Tech Bridge on its website.
This is rather strange as companies like Google, Facebook, HP pay thousands of dollars through their bug bounty programs. The information security company notes that money isn’t the only motivating factor behind security research; however, paying just a few dollars for a security vulnerability is a bad joke said Ilia Kolochenko, High-Tech Bridge CEO.
