Nervous reader, were you unsettled by the recent news that Yahoo’s email address recycling scheme had resulted in new account holders receiving past account owners’ personal details, including passwords and even an invitation to a wedding?
Did you fear that Yahoo might not be applying itself with all due gusto to users’ security, in spite of its having stated that it takes the security and privacy of its users very, very seriously?
Fret not. The exclamation-marked one has proved that it’s devoted to security.
How, you well may ask?
It paid a bug bounty to a security company, for finding a vulnerability that allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and tricking him or her into clicking.
In light of having been paid for that hole, the security company, Switzerland-based High-Tech Bridge, put a price tag on exactly how much Yahoo values their email security.
That would be $12.50 (£7.71).
The company had decided to test how quickly security holes on well-known, heavily trafficked sites such as Yahoo can be found and how the email provider reacts to a vulnerability notice.
Within 45 minutes of starting the research on 18 September, the company had netted a “classic reflected XSS vulnerability”, affecting the marketingsolutions.yahoo.com domain.
High-Tech Bridge speedily reported the bug, and Yahoo speedily replied in less than 24 hours.
Unfortunately, Yahoo was just letting the security outfit know that the bug had already been reported.
Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.
The reply didn’t provide the security company with evidence that the vulnerability had already been reported, but OK. Fine.
Its researchers went on poking, and in short order, they found more issues.
In fact, by 22 September, High-Tech Bridge had discovered three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.
The company reported the issues on Monday, 23 September, letting Yahoo know that each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by, again, sending a specially crafted link to a logged-in Yahoo user and convincing him/her to click on it.
Yahoo’s response was a bit slower in coming this time around.
Within 48 hours, Yahoo “warmly thanked” High-Tech Bridge and offered to lavish the company with the princely sum of $12.50 reward per one vulnerability.
If your first inclination was like mine, of course, you’d warn High-Tech Bridge: Don’t spend it all in one place, guys!
Unfortunately, they do have to spend it all in one place, because Yahoo isn’t giving them cash, exactly.
Rather, the funds were dispersed as a discount code to spend in the Yahoo Company Store, which sells Yahoo’s corporate swag: t-shirts, cups, Inkjoy Retractable Pens, a 7×9″ mousepad festooned with the image of balloons, or the Yahoo Unisex Baby Set, which features, among other things, an Emoticon Long Sleeve Onesie (6-12 month).
Except the Yahoo Unisex Baby Set actually costs $61.
I’m afraid you’ll have to discover a lot more XSS vulnerabilities to score that Yahoo Company Store item, High-Tech Bridge!
High-Tech Bridge is a tad miffed.
Ilia Kolochenko, High-Tech Bridge CEO, said this:
Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.
Of course, money isn’t the only motivation for security researchers, Kolochenko went on to say. Ego is right up there.
That’s why, he said, companies like Google not only pay out much higher financial rewards, but they also maintain a Hall of Fame where all security researchers who have ever reported security vulnerabilities are publicly listed.
If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.
How much more do other companies pay out in bug bounties?
As of July 2013, when Microsoft paid its first bug bounty for a hole in Internet Explorer, Google had paid out about $580,000 over three years for 501 Chrome bugs, and Firefox had paid out about $570,000 over the same period for 190 bugs.
A study [PDF] from the University of California, Berkeley has found that paying bounties to independent security researchers is a better investment than hiring employees to do it.
If you compare bug bounty payouts with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, it’s obvious to see that the savings to a company can be huge.
In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to ﬁnd vulnerabilities.”
High-Tech Bridge quoted Brian Martin, President of the non-profit Open Security Foundation, who commented on the High-Tech Bridge experiment, noting that some vendors pay their janitors more money to clean their offices than they do to security researchers who find vulnerabilities that could put thousands of their customers at risk.
High-Tech Bridge, for its part, says it’s decided to hold off on further research.
Yahoo, is this what you wanted to encourage with your first bug bounty payout? Security researchers throwing in the towel instead of helping to make your products safer to use?
I hope not.
Readers, what do you think? Do you think that the low payout means that Yahoo likely evaluated the XSS vulnerabilities and didn’t think much of them?
Or is just that the Onesie stock’s running low?
Please let us know your thoughts in the comments below.Follow @NakedSecurity