Yahoo! has paid a bug bounty to security researchers who found a bug that “allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo! user and making him/her clicking on it.” But the bounty was just $US12.50 and came in the form of a voucher that could only be spent in …
'We know about that bug'
But the bug was still there!
Ok I believe you this time... Not.
More like "we know about this security hole but don't really care"
So they were all previously reported?
So what's the fuss?
Maybe because they were still there?
Nope - the first was previously reported (allegedly). The second two were not, and it's because of the second two that the "bounty" was issued.
The original statement does at least mention that all 3 vulns have now been fixed.
A tenner is worse than nothing at all
That level of reward is in the order of magnitude of 10 of any of the main Western currencies. It's third prize in a colouring in competition. It's a brush off.
Re: A tenner is worse than nothing at all
I think you'll find it's actually second prize in a beauty contest...
12.50 is a lot
and a lot, lot more than nothing (aka "crowdsourcing")
Kudos to El Reg for changing the angle of the exclamation mark.
Equals a months worth of eating out at a noddle bar in many rural Chinese cities, towns and villages.
But, yeah, it stinks.
BTW, my Yahoo account was hacked earlier this year, despite the fact I hadn't actually USED it, or logged into it for at LEAST 8 years. (Set it up to forward mail to a gmail account - lol)
Yahoo Bug Report
I have found a major bug in your website, which has caused your exclamation mark to fall over. Don't thank me, please just send my £12.50 care of The Register. Thanks.
If Yahoo is only going to pay $12.50 for a bug, people who find bugs will just publish the bugs without reporting them to Yahoo first.
Re: And even that had to be spent on Yahoo! tat..
Let me fix that for you :-
"And even that had to be spent on Yahoo! tat!"
Yahoo attracting security researchers?
First it'd better attract a few more customers.
Please do not take offense - I do not work in the industry but I've been curious about this. I presume that the "security researchers" who do this type of work derive their primary income from some means other than these bounties, similar to the way police officers get paid for extra duties performed off hours (such as providing security at concerts). If this is the case, nobody will bother doing this type of work for Yahoo! anymore, which is a problem for Yahoo! and their users. No big deal for everyone else.
On the other hand, saying that one can be remunerated better on the black market is like saying that it's cheaper to steal food rather than pay for it, and that if grocers don't lower their prices accordingly, people may as well just steal their food. It may be true, but that doesn't make it legal or moral.
One difference : people have to eat, they do not have to look for bugs for Yahoo!.
Another difference : grocers are not paying people to come buy their wares.
Please do not take offense, but your grocer analogy is wrong on just about every level. That said, I do believe that it is rather difficult to make any kind of analogy with the Internet Security scene, because it is the only "market' in the world where people can work for a company without obligation, a contract or any legal framework.
I told them Yahoo! was a bug
and they billed me $12.50.
- iPad? More like iFAD: Now we know why Apple ran off to IBM
- Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
- +Analysis Microsoft: We're building ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Black Hat anti-Tor talk smashed by lawyers' wrecking ball