The good news about Yahoo’s security team is that it’s finally offering bounties for independent researchers who uncover bugs.
The bad news is that the bounty itself isn’t exactly competitive.
September 30, 2013 6:01 PM PDT
One of three cross-site scripting vulnerabilities that High Tech Bridge uncovered on Yahoo’s sites. It has since been fixed by Yahoo.
(Credit: High Tech Bridge)
Bug bounties from Google and Facebook regularly clear thousands of dollars for a single, high-profile bug. Yahoo finally has joined the game, also for four figures — but with a different decimal place.
The security firm High Tech Bridge set out to see what Yahoo would pay for disclosing bugs discovered on its site, since the company hadn’t stated what they were worth but did say that it encouraged researchers to report bugs.
After reporting three cross-site scripting (XSS) vulnerabilities that could compromise a user’s account with what High Tech Bridge described as basic phishing techniques, Yahoo responded with its thanks within 48 hours.
The research firm was rewarded with $12.50 per vulnerability, significantly lower than Facebook’s or Google’s lowest bounties, which come in at $500 and $100 for the lowest priority bugs, respectively.
Not only were Yahoo’s bounties lower by at least a factor of 10, but the money could be spent only in Yahoo Corporate Store where it sells company-branded tchochkes.
The bugs all had been patched by the time that High Tech Bridge published its press release on Monday.
The company wrote, “At this point we decided to hold off on further research.”
A request for comment by Yahoo was not immediately returned. CNET will update the story when we hear back from Yahoo.