What’s your email security worth? 12 dollars and 50 cents according to Yahoo
At High-Tech Bridge we decided to run a small experiment with Yahoo, a company that follows industry best-practices and encourages security researchers to report vulnerabilities they discover. Four XSS vulnerabilities affecting Yahoo website were discovered during the experiment.
Today more and more companies are offering Bug Bounty Programs, or in other words, remunerating security researchers for reporting vulnerabilities and weaknesses in their applications and software. Recent criticisms of Facebook’s Bug Bounty program and many other cases of misunderstandings between companies and security researchers have been the subject of much media attention.
At High-Tech Bridge we decided to run a small experiment with Yahoo, a company that follows industry best-practices and encourages security researchers to report vulnerabilities they discover: “If you are a member of the security community and need to report a technical vulnerability, contact: firstname.lastname@example.org”. Being less famous than Facebook and Google and at the same time handling sensitive information for hundreds of millions of users, Yahoo appeared to be a perfect company for the experiment. The goal of the experiment was very simple: to find out how quickly security vulnerabilities on well-known websites such as Yahoo can be found and to see how the company reacts to a vulnerability notification.
We started our research on the 18th of September, 2013 having in our arsenal just a Firefox web browser. To our surprise the first XSS vulnerability was found just in 45 minutes. It was a classic reflected XSS vulnerability affecting the marketingsolutions.yahoo.com domain, which was immediately reported to Yahoo Security Team. We have to recognize Yahoo’s speed; we received a reply in less than 24 hours. However, the response was quite disappointing: “Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future”. Obviously the reply didn’t provide us with any evidence that the vulnerability had already been reported.
Being curious about how Yahoo would react to other vulnerabilities we continued our research during the evening of Sunday, the 22nd of September. By Monday the 23rd of September the Yahoo Security Team was notified of 3 more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it.
One of the XSS vulnerabilities affecting Yahoo displays user cookies
This time Yahoo took 48 hours to reply only about two XSS affecting adserver.yahoo.com. Yahoo warmly thanked us for reporting the vulnerabilities and offered us… 12.50 USD (twelve dollars and fifty cents) reward per one vulnerability. Moreover, this sum was given as a discount code that can only be used in the Yahoo Company Store, which sell Yahoo’s corporate t-shirts, cups, pens and other accessories:
12.5 USD per one XSS vulnerability at Yahoo
At this point we decided to hold off on further research.
Ilia Kolochenko, High-Tech Bridge CEO, says: “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with [much higher] financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.“
Brian Martin, President of Open Security Foundation, comments on the experiment: “Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organization, and more importantly their customers. Even Microsoft, who was the most notorious hold-out on bug bounty programs realized the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass their security mechanisms. Other companies should follow their example and realize that a simple "hall of fame", credit to buy the vendor's products, or a pittance in cash is not conducive to researcher cooperation. Some of these companies pay their janitors more money to clean their offices, than they do security researchers finding vulnerabilities that may put thousands of their customers at risk.”
At the time of this article publication all the four XSS vulnerabilities had been patched by Yahoo.
Update - 2 October 2013:
Yahoo has now rushed forward its plans to reward researchers: "So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early." There are five main areas to the new policy: improved reporting, improved validation, improved remediation, the implementation of a 'hall of fame' – and a reward scheme paying between $150 - $15,000. The small print on the new policy hasn't been finalised, and the scheme will be formally launched on October 31, 2013.
Update - 29 October 2013:
Yahoo has rewarded High-Tech Bridge with $1,000 for the reported vulnerabilities. The entire amount was donated to Open Security Foundation.