Web giant Yahoo in conflict with security researchers over allegations paying US$12.50 for bug reports that can only be spent on their company merchandise.
Swedish security firm, High-Tech Bridge said it ran a “small experiment” on Yahoo to see how
speedily the company responded to vulnerability notifications.
The researchers alleged they discovered a cross-site scripting (XSS) fault in a Yahoo web page within 45 minutes of testing. Yahoo’s security team responded within 24 hours, but reportedly did not offer a cash reward, claiming someone else had reported the flaw first. High-Tech then went on and found three more XSS vulnerabilities.
“Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it,” the researchers stated
“Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per each vulnerability.”
In addition to the great reward the sum of cash was given as a discount code that can only be applied in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories.
“At this point we decided to hold off on further research.”