Hugh Pickens DOT Com (2995471)
writes "More and more companies are offering Bug Bounty Programs remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Now Security analyst Graham Cluley writes that researchers at High-Tech Bridge informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. According to High-Tech Bridge, each of the vulnerabilities could compromise *any* @yahoo.com email account. All that was required was that the victim, while logged into Yahoo, should click on a specially-crafted link received in an email. Forty-eight hours later, Yahoo had patched all of the vulnerabilities and Yahoo’s security team responded, thanking the researchers and "offering the mighty bounty of err.. $12.50 per vulnerability," writes Cluley. But there was one catch. The $12.50 was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. "Such a risible reward is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future," wrote Cluley. “If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means," wrote Ilia Kolochenko, the CEO of High-Tech Bridge. "Otherwise, none of Yahoo’s customers can ever feel safe.”"