Yahoo's online security team could use some public-relations training.
Last month, researchers at Swiss information-security company High-Tech Bridge discovered three cross-site scripting vulnerabilities that could be used to add unauthorized scripts, or programmed behaviors, to two of Yahoo's websites.
The fact that Yahoo has some security vulnerabilities isn't the news, though. All software has bugs (although Yahoo seems to havea lot). That's just a fact of computing.The real news is how little Yahoo apparently values the experts who tip them off to security bugs.
Many companies rely on freelance security researchers, sometimes called "white hats," who poke around the businesses' online architecture looking for vulnerabilities. When the white hats find one, they alert the companies, usually through an established submission process.
Many companies, including Facebook, Google and Microsoft, are willing to pay researchers "bug bounties" for discovering new flaws.
For the companies, it's better to pay a few hundred dollars per flaw than to risk losing thousands or millions of dollars if a "black hat," or malicious hacker, were to exploit the flaws. (There's a full list of companies that pay for flaws at the "Bug Bounty List" website.)
So when High-Tech Bridge reported its findings to Yahoo's security team, they were shocked when Yahoo offered them just $12.50 USD in return.
What's more, that $12.50 could only be used in Yahoo's online store.
The vulnerabilities High-Tech Bridge found affected the domains ecom.yahoo.com and adserver.yahoo.com.
According to the researchers, a malicious hacker could use these flaws as a means of inserting bad links into the emails of anyone with an "@yahoo.com" email address.
In other words, they're pretty serious vulnerabilities. High-Tech Bridge reported their findings on Sept. 23, and Yahoo has already patched the bugs. But the paltry $12.50 bounty apparently still stands.
"Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them," said High-Tech Bridge CEO Ilia Kolochenko in a statement on the company blog. "Especially when such vulnerabilities can be easily sold on the black market for a much higher price."
Kolochenko also suggested that if Yahoo doesn't want to pay, then it could instead implement a public "hall of fame" for researchers who have found flaws in their systems.
Google has such a list (along with a lucrative bug-bounty system), and the prestige of appearing on a Yahoo version would be hugely beneficial to any security researcher's career.
"Yahoo, it seems, just can't do anything right when it comes to winning friends in the security industry," security expert Graham Cluley wrote on his blog.
Yahoo's other recent security faux pas include the decision to recycle old email addresses, which resulted in people who had unknowingly chosen a reused email address receiving the former owner's mail.
CEO Marissa Mayer also recently admitted she doesn't password-protect her smartphone, causing the entire online security community to gasp and compose outraged Tweets.
UPDATED (10/3/2013): Yahoo has announced it is changing its policy and will now offer between $150-15,000 for security vulnerabilities, as reported in a post on Yahoo's developer network blog by Ramses Martinez, director of Yahoo Paranoids (the company's security team).