×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researchers Rewarded with $12.50 Voucher to Buy Yahoo T-Shirt

Hugh Pickens DOT Com (2995471) writes | about 7 months ago

2

Hugh Pickens DOT Com (2995471) writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo’s security team responded, thanking the researchers and "offering the mighty bounty of err.. $12.50 per vulnerability," writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. "Such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future," wrote Cluley. “If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means," wrote Ilia Kolochenko, the CEO of High-Tech Bridge. "Otherwise, none of Yahoo’s customers can ever feel safe.”"

2 comments

Welcome to the century (1)

Deadstick (535032) | about 7 months ago | (#44997523)

When I went to work for an aerospace company in 1972, well-documented suggestions that were adopted would get you a check for 10% of the estimated first-year savings...and some of those checks were very sweet. By about 1990, they would get you a voucher to pick an item from a gift catalog. The program brochure was illustrated with a line drawing of a guy's head and a thought balloon as he dreamed of a Dust Buster.

T-shirts not that unusual (1)

ark1 (873448) | about 7 months ago | (#44997637)

Receiving company t-shirts as a symbolic gesture/compensation for discovering vulnerabilities is not that unheard of. However, in those cases there is an actual t-shirt (sometimes personalized) sent as a gesture of recognition not a lousy voucher. I feel yahoo will make them whole in one or another to get some PR points with this story. In the end, I guess a voucher is still better than an army of lawyers coming after you.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...