IT HAS BECOME quite the vogue these days for technology giants to offer bounties for bug reports. Researchers who have the time and inclination to try hacking the big online players for benign purposes can be looking at cumulatively handsome rewards.
Take Yahoo, for example. It is offering a hefty $12.50 for spotting a flaw, and High-Tech Bridge decided to take it up on its offer.
The first glitch it found - an XSS vulnerability - came in the first 45 minutes of looking and got a response from Yahoo's Security Team within 24 hours.
Alas, Yahoo's response read, "Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future."
You might notice that this doesn't give any indication of how long ago the bug was previously reported, how many other people reported it, or indeed if it was going to be patched.
A few days later, High-Tech Bridge reported three further XSS vulnerabilities and within 48 hours received an acknowledgement for two of them. Good news! This time they were brand new reports, and Yahoo was quite happy to cough up $25. No mention of the third. But wait... read the small print.
This isn't cash at all. It's credit for the Yahoo Company Store. At the time of writing there were such exciting options as ballpoint pens, keychains, beanies for babies, and rubber ducks for sale - most of which are emblazoned with the old company logo.
Although all four flaws have now been patched, we're not sure how excited High-Tech Bridge was about its choice of rewards for all its hard work, as for some reason its research abruptly stopped at this point.
We leave the last word to High-Tech Bridge CEO Ilia Kolochenko, who said, "Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a 'Hall of Fame' where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo's customers can ever feel safe." µ
Sign up for INQbot – a weekly roundup of the best from the INQ