Sci/Tech Serious Yahoo bug discovered. Researchers rewarded with $12.50 voucher to buy corporate T-shirt

[tom_mai78101]

Yahoo, it seems, just can’t do anything right when it comes to winning friends in the security industry. First, they came up with a bonkers scheme for recycling old email addresses – not apparently realising that the danger of identity theft to which it was exposing the original account holders.

Next, Yahoo CEO Marissa Mayer showed she didn’t even have time to tap four digits, and admitted she doesn’t bother to have even a simple security passcode on her iPhone.

And now, it’s been revealed that it takes its users’ security with such disregard that it “rewards” researchers who find vulnerabilities with a paltry $12.50 bounty… which can only be spent in Yahoo’s Company Store.

That’s what just happened to the researchers at High-Tech Bridge recently.

On Monday 23rd September, the researchers informed Yahoo’s Security Team about three cross-site scripting (XSS) vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

Read more here.

Well, that sucks...

 

[duderock101]

I'm sorry but... who even uses Yahoo?

 

[seph ir oth]

There are services/programs that will bounce your site(s) off of a bunch of different XSS approaches. I am shocked that it is still a problem on big websites.

 

[FireCat]

Such a crappy reward.

 

[The Helper]

At least they got something. Just saying

 

[Nyph]

At least they got something. Just saying

A thank you with $12.50 of yahoo garbage seems almost less than a thank you with no reward.

 

[Slapshot136]

I don't think Yahoo can afford to give any more per security issue since they have so many of those, they need to keep enough t-shirts to go around