Yahoo! rewards vulnerability reporting with a $12.50 discount voucher

Yahoo! rewards vulnerability reporting with a $12.50 discount voucher

Google, Microsoft, Facebook, and any other company serving millions of customers with online services, rely on security researchers to report vulnerabilities. They even encourage such reporting by offering bug bounties that can be worth thousands of dollars. Yahoo! is another company that needs to keep on top of vulnerabilities, but it has recently been discovered their rewards leave a lot to be desired.
High-Tech Bridge, an information security company, decided to focus on Yahoo! and its services to find out how quickly they responded to vulnerability reports. In total, High-Tech discovered four vulnerabilities, with Yahoo! responding to each within 24-48 hours, which isn’t bad. What is bad, however, is the reward on offer for finding such a vulnerability. High-Tech was thanked with a discount code allowing them to purchase anything from the Yahoo! Company Store with $12.50 knocked off the price. The products on offer included Yahoo! branded t-shirts, socks, cups, pens, teddy bears, and tech accessories like an iPad sleeve or travel adapter. It’s also worth pointing out you only get one discount code per vulnerability. High-Tech ended up earning $25 to spend at the store.
This isn’t exactly a great reward for spending time reporting security vulnerabilities, and therefore doesn’t encourage researchers to spend time doing so for Yahoo! services. Why would you when companies including Google and Microsoft are offering substantial cash rewards?
As you’d expect, High-Tech Bridge has put its Yahoo! vulnerability hunt on indefinite hold, with company CEO Ilia Kolochenko calling it “a bad joke” and suggesting Yahoo! rethinks how it attracts security researchers to look at its products in future.