But it can also have a negative effect if not handled sensitively. Facebook famously denied Khalil Shreateh a bug bounty even though he had tried to report a bug 'responsibly.' Failing to do so, he demonstrated the flaw by posting directly to Mark Zuckerberg's wall.
The official response from Facebook was that since he did not follow their written procedure for reporting bugs, he did not qualify for a bounty. This is a reaonable position to take – but the widespread public perception was that he was denied a reward out of pique because he hacked Zuckerberg himself. So much so, in fact, that the security industry clubbed together and privately provided a $13,000+ reward (donated by more than 300 individuals).
Now High Tech Bridge (HTB), a firm that provides pentesting and security audit services, decided to test the bug reporting process from the sharp end. It chose Yahoo, because, it claims, it is "less famous than Facebook and Google [which both pay out thousands of dollars in bug bounties, while] at the same time handling sensitive information for hundreds of millions of users."
In fairness to what follows, it should be said that Yahoo does not publicly claim to offer a bug bounty program.
High Tech Bridge rapidly found an XSS flaw affecting the marketingsolutions.yahoo.com domain (it took just 45 minutes). It reported this to Yahoo through the official channels, and within 24 hours got a reply: "“Unfortunately this submission does not qualify for a reward because it has already been reported by another individual."
Undeterred, HTB sought other bugs; and found similar XSS flaws in the ecom.yahoo.com and adserver.yahoo.com domains. "Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it," says HTB.
This time it took Yahoo 48 hours to respond – and this time it offered the frankly insulting reward of $12.50 per vulnerability. To make matters worse, the reward was in the form of a discount code to be spent in the Yahoo company store.
Ilia Kolochenko, CEO at High Tech Bridge, suggests that “Yahoo should probably revise their relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."
Brian Martin, president of the Open Security Foundation, agrees. "Even Microsoft, who was the most notorious hold-out on bug bounty programs realized the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass their security mechanisms", he said. "Some of these companies pay their janitors more money to clean their offices, than they do security researchers finding vulnerabilities that may put thousands of their customers at risk.”
In the absence of any clear indication of a bug bounty program, Infosecurity asked Yahoo for a comment on whether one exists, or whether one will exist. No response has been received in time for this article; but an update will be posted if we do receive one. However, Ilia Kolochenko has told Infosecurity that he did not ask for a reward, and indeed told Yahoo that he did not want one.
All of the vulnerabilities reported to Yahoo by High Tech Bridgre have been fixed.