Researchers report XSS flaws to Yahoo, receive $25 store credit as bug bounty

Share this article:

A Swiss penetration testing firm that pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains was disappointed to discover the company's reward for their research.

According to High-Tech Bridge, Yahoo shelled out $12.50 each for two bugs it reported to the firm, which previously found XSS bugs in NASDAQ's website. Furthermore, the money was only redeemable if used at Yahoo's company store, High-Tech Bridge revealed in a Monday blog post.

The XSS flaws, which affected the ecom.yahoo.com and adserver.yahoo.com domains, could allow any "@Yahoo.com" email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur, the company revealed.

SCMagazine.com reached out to Yahoo, but did not immediately hear back.

Three XSS bugs were reported to Yahoo as of Sept. 23, and the company responded within 48 hours, offering $12.50 each for just two of the bugs. All of the vulnerabilities have since been patched by Yahoo, High-Tech Bridge said.

The company discovered the XSS flaw after beginning an experiment to see “how quickly security vulnerabilities on well-known websites such as Yahoo can be found” – and how long it would take to receive a response, the company blog post said.

In a Tuesday email, IIia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com that even without sufficient financial motivation, companies could do a better job of providing other incentives for security researchers reporting their discoveries.

"Few companies today pay enough money to security researchers to motivate them only by money," Kolochenko wrote. "Even the amounts paid by Google are not high enough to be a sole motivation for researchers. However, when a company also offers a public 'thank you,' such as listing in [a] hall of fame, it can be a good added-value for many security professionals."

Kolochenko told SCMagazine.com that he inquired about a program that recognized researchers' findings. Yahoo's security team emailed him back saying they did not have a hall of fame program, but that things could change in the future.

Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."