Researchers report XSS flaws to Yahoo, receive $25 store credit as bug bounty

Share this article:

A Swiss penetration testing firm that pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains was disappointed to discover the company's reward for their research.

According to High-Tech Bridge, Yahoo shelled out $12.50 each for two bugs it reported to the firm, which previously found XSS bugs in NASDAQ's website. Furthermore, the money was only redeemable if used at Yahoo's company store, High-Tech Bridge revealed in a Monday blog post.

The XSS flaws, which affected the and domains, could allow any "" email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur, the company revealed. reached out to Yahoo, but did not immediately hear back.

Three XSS bugs were reported to Yahoo as of Sept. 23, and the company responded within 48 hours, offering $12.50 each for just two of the bugs. All of the vulnerabilities have since been patched by Yahoo, High-Tech Bridge said.

The company discovered the XSS flaw after beginning an experiment to see “how quickly security vulnerabilities on well-known websites such as Yahoo can be found” – and how long it would take to receive a response, the company blog post said.

In a Tuesday email, IIia Kolochenko, CEO at High-Tech Bridge, told that even without sufficient financial motivation, companies could do a better job of providing other incentives for security researchers reporting their discoveries.

"Few companies today pay enough money to security researchers to motivate them only by money," Kolochenko wrote. "Even the amounts paid by Google are not high enough to be a sole motivation for researchers. However, when a company also offers a public 'thank you,' such as listing in [a] hall of fame, it can be a good added-value for many security professionals."

Kolochenko told that he inquired about a program that recognized researchers' findings. Yahoo's security team emailed him back saying they did not have a hall of fame program, but that things could change in the future.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.