Now a days all companies are looking for the external security researchers to find the bugs and weakness regarding their applications through Bug Bounty programs. Even Facebook and Google also paying hundreds of dollars to the researchers for reporting security vulnerability.
but Yahoo offering only 25$ for researcher to find bugs. The first reporter of a verifiable security bug gets... $25, redeemable only in Yahoo's company store for "corporate t-shirts, cups, pens and other accessories."
Yahoo is not having very good run in the reputation department when it comes to user security. Researchers at High-Tech Bridge found a few bugs, and were not exactly impressed with Yahoo’s reward.
Now High Tech Bridge (HTB), a firm that provides pentesting and security audit services, decided to test the bug reporting process from the sharp end. It chose Yahoo, because, it claims, it is "less famous than Facebook and Google [which both pay out thousands of dollars in bug bounties, while] at the same time handling sensitive information for hundreds of millions of users."
The researcher are found three serious cross-site scripting (XSS) vulnerabilities affecting the domains ecom.yahoo.com and adserver.yahoo.com. These bugs could have been used to hack into Yahoo email accounts, according to Kolochenko.
When he reported them, Yahoo acknowledged two of the three bugs and thanked, Yahoo's own researchers verified that these vulnerabilities really did exist (they've since been fixed). They offered the research team a hearty thank-you, and an award of $12.50 per bug, redeemable at the company store. The researchers were unimpressed; the report states, "At this point we decided to hold off on further research."
Facebook, in comparison, recently paid $12,500 to a hacker who found a bug that allowed him to delete any user's pictures (it must be noted, though, that the social network also recently failed to reward another hacker who broke into Mark Zuckerberg's Timeline.)
Yahoo should probably revise their relations with security researchers, Kolochenko, High Tech Bridge's CEO, was quoted as saying in the blog post. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price
All of the vulnerabilities reported to Yahoo by High Tech Bridgre have been fixed.
No comments:
Post a Comment