If you find a major security flaw in Facebook’s infrastructure the company will pay you thousands of dollars and publicly thank you for your contributions. If you find a major flaw in Yahoo! systems the company will reward you with zero public praise and a voucher for a $12.50 t-shirt from its company store.
A group of researchers at High-Tech Bridge recently discovered a big flaw and informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities. The security issue allowed any @yahoo.com email account to become easily compromised and affected the ecom.yahoo.com and adserver.yahoo.com domains.
According to researchers clicking a specially-crafted link could hijack a users account in seconds.
The major Yahoo! security flaw was discovered on September 23 and 48 hours later the Yahoo security team responded with a $12.50 voucher that could only be used inside the Yahoo company products store.
On Monday 23rd September, the researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.
According to Ilia Kolochenko,CEO of High-Tech Bridge, “If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
This really is Yahoo’s loss as High-Tech Bridge has decided to stop helping Yahoo discover security flaws in its systems.
While programmers don’t always actively seek security flaws to earn cash, the incentive has helped Facebook and other tech firms fix issues before they are released as a matter of public record.
The High-Tech Bridge issue has been patched and some lucky researcher is sporting a $12.50 T-Shirt or drinking from a Yahoo company mug.
Do you think Yahoo! should offer higher cash incentives to hackers and computer researchers who expose major flaws in the Yahoo infrastructure?
