This Happened

Yahoo’s $12.50 Bug Bounty Will Not Inspire You to Report Many Vulnerabilities

Who wants a tricked out Yahoo hat?
Some of the choices. (Photo : Graham Cluley)

Some of the choices. (Photo: Graham Cluley)

Reporting site bugs to Facebook can earn you at least $500. Report one to Google, and you’re guaranteed at least $100. Just don’t go crying to Yahoo because you’ll be lucky to get a half-used gift card to the Hard Rock Cafe. Actually, that’s on the generous side. Someone reported an error that exposed a site vulnerability and received $12.50…that’s only redemable at the company store.

Security firm High Tech Bridge said it found three instances of phishing techniques that could compromise the security of a user’s account on Yahoo. So the firm reported the vulnerability to Marissa & Co. Two days later, they received a thank you note, with a store credit that’d barely cover lunch and can only be used on Yahoo-branded socks, hats and stuffed animals.

Needless to say, the firm’s CEO wasn’t pleased. Ilia Kolochenko blasted the company in a press release for its pathetic pittance:

Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

Perhaps Yahoo ran out of money because they spent it all on a new logo. Or maybe they just hate you!

Follow Jordan Valinsky on Twitter or via RSS. jvalinsky@observer.com