Security veteran Graham Cluley reports that on 23rd September, researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.
The vulnerabilities meant it was possible to compromise *any* Yahoo account, by getting a logged-in user to visit a URL.
When Yahoo responded 48 hours later, they awarded a measly $12.50 per bug (in the form of a voucher that could only be spent at Yahoo's Corporate Store).
"This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo."
Cluley says that the risible reward is unlikely to win Yahoo any fans in the white-hat community.