Let’s say you’re dying to get your hands on that Yahoo-branded iPad cover from the company’s store (we won’t ask you why). Here’s a cool way to get $12.50 off your purchase:
- Find a security bug in a Yahoo website.
- Report it to Yahoo.
- Receive a promo code for $12.50 off anything in Yahoo’s company store.
- Feel all warm and fuzzy inside.
This is exactly what happened to the security experts at the Geneva-based firm High-Tech Bridge recently (we’re pretty sure they were not feeling warm and fuzzy). After reporting three cross-site scripting (XSS) vulnerabilities to Yahoo’s security team that could compromise any @yahoo.com email account by having a logged-in Yahoo user click on a specially crafted link, they got a thank-you email from Yahoo, and a handsome reward of $12.50 to use on the company’s online store where you can buy Yahoo-branded socks, t-shirts, and other things.
High-Tech Bridge CEO Ilia Kolochenko says: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”
Facebook, as a point of comparison, recently offered a hacker $12,500 for finding a way to delete anyone’s Facebook photos with the right know-how. Google offers up to $20,000 for reporting security vulnerabilities. Microsoft? A cool $100,000.