Feeds

back to article Yahoo! Pays! Paltry! $12.50! Bug! Bounty! For! Nasty! Email! Vuln!

Yahoo! has paid a bug bounty to security researchers who found a bug that “allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo! user and making him/her clicking on it.” But the bounty was just $US12.50 and came in the form of a voucher that could only be spent in …

COMMENTS

This topic is closed for new posts.
Silver badge

'We know about that bug'

But the bug was still there!

Ok I believe you this time... Not.

6
0
Unhappy

Bug?

More like "we know about this security hole but don't really care"

6
0
WTF?

So they were all previously reported?

So what's the fuss?

0
3
Silver badge

Maybe because they were still there?

6
0

Nope - the first was previously reported (allegedly). The second two were not, and it's because of the second two that the "bounty" was issued.

The original statement does at least mention that all 3 vulns have now been fixed.

0
0
Silver badge

A tenner is worse than nothing at all

That level of reward is in the order of magnitude of 10 of any of the main Western currencies. It's third prize in a colouring in competition. It's a brush off.

3
0
Gold badge
Happy

Re: A tenner is worse than nothing at all

I think you'll find it's actually second prize in a beauty contest...

3
0
Anonymous Coward

12.50 is a lot

and a lot, lot more than nothing (aka "crowdsourcing")

...unthankful git!

;)

1
3

wonky !

Kudos to El Reg for changing the angle of the exclamation mark.

5
0
Bronze badge

£12.50

Equals a months worth of eating out at a noddle bar in many rural Chinese cities, towns and villages.

But, yeah, it stinks.

BTW, my Yahoo account was hacked earlier this year, despite the fact I hadn't actually USED it, or logged into it for at LEAST 8 years. (Set it up to forward mail to a gmail account - lol)

0
0
Gold badge
Devil

Yahoo Bug Report

Dear Yahoo!,

I have found a major bug in your website, which has caused your exclamation mark to fall over. Don't thank me, please just send my £12.50 care of The Register. Thanks.

0
0

Stupid

If Yahoo is only going to pay $12.50 for a bug, people who find bugs will just publish the bugs without reporting them to Yahoo first.

1
0
Bronze badge
Coat

Re: And even that had to be spent on Yahoo! tat..

Let me fix that for you :-

"And even that had to be spent on Yahoo! tat!"

0
0
Anonymous Coward

Yahoo attracting security researchers?

First it'd better attract a few more customers.

1
0
Anonymous Coward

Big deal?

Please do not take offense - I do not work in the industry but I've been curious about this. I presume that the "security researchers" who do this type of work derive their primary income from some means other than these bounties, similar to the way police officers get paid for extra duties performed off hours (such as providing security at concerts). If this is the case, nobody will bother doing this type of work for Yahoo! anymore, which is a problem for Yahoo! and their users. No big deal for everyone else.

On the other hand, saying that one can be remunerated better on the black market is like saying that it's cheaper to steal food rather than pay for it, and that if grocers don't lower their prices accordingly, people may as well just steal their food. It may be true, but that doesn't make it legal or moral.

0
0
Silver badge

One difference : people have to eat, they do not have to look for bugs for Yahoo!.

Another difference : grocers are not paying people to come buy their wares.

Please do not take offense, but your grocer analogy is wrong on just about every level. That said, I do believe that it is rather difficult to make any kind of analogy with the Internet Security scene, because it is the only "market' in the world where people can work for a company without obligation, a contract or any legal framework.

0
0
Nym

I told them Yahoo! was a bug

and they billed me $12.50.

0
0
This topic is closed for new posts.