Thursday, January 27, 2022

Yahoo Rewards Security Researchers with a $12.50 coupon

Web giant Yahoo in conflict with security researchers over allegations paying US$12.50 for bug reports that can only be spent on their company merchandise.

Swedish security firm, High-Tech Bridge said it ran a “small experiment” on Yahoo to see how

Y from the Yahoo logo
Y from the Yahoo logo (Photo credit: Wikipedia)

speedily the company responded to vulnerability notifications.

The researchers alleged they discovered a cross-site scripting (XSS) fault in a Yahoo web page within 45 minutes of testing. Yahoo’s security team responded within 24 hours, but reportedly did not offer a cash reward, claiming someone else had reported the flaw first.  High-Tech then went on and found three more XSS vulnerabilities.

“Each of the discovered vulnerabilities allowed any email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it,” the researchers stated

“Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per each vulnerability.”

In addition to the great reward the sum of cash was given as a discount code that can only be applied in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories.

“At this point we decided to hold off on further research.”

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …