Yahoo has promised to put the finishing touches on a new vulnerability reporting and rewards policy by Halloween after finding itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of cross-site scripting bugs.
The researcher in question, High-Tech Bridge CEO Ilia Kolochenko, urged Yahoo to “revise its relations” with the security community after sharing his story. Kolochenko, the same bug-hunter who reported XSS bugs in a NASDAQ Web application last month, shared details with Yahoo on a number of security issues it found on several Yahoo domains. The first, a cross-site scripting bug on marketingsolutions.yahoo.com was reported and acknowledged by Yahoo, which informed Kolochenko that issue had already been reported by another researcher.
Kolochenko said he plugged on and five days later, notified Yahoo of three more XSS vulnerabilities on the ecom.yahoo.cocm and adserver.yahoo.com domains.
“Each of the discovered vulnerabilities allowed any yahoo.com email account to be compromised by simply sending a specially crafted link to a logged-in Yahoo user and making him/her [click] on it,” Kolochenko said.
Yahoo, Kolochenko said, replied within two days and rewarded him with a $25 discount code for the Yahoo company store. This did not sit well with the researcher.
“Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price,” he said. “Nevertheless, money is not the only motivation of security researchers.”
Kolochenko pointed toward Google’s bug bounty as an example of a rewards program that pays substantial amounts and also maintains a “Hall of Fame,” playing to the egos of researchers as well.
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means,” Kolochenko said. “Otherwise, none of Yahoo’s customers can ever feel safe.”
Yahoo security team director Ramses Martinez responded yesterday that Yahoo has been quick remedy vulnerabilities reported to his team, but that the recognition and rewards process and policy has been slow in coming.
Martinez acknowledged Kolochenko’s distress in previewing the upcoming revised policy, that he said will reward individuals who identify “new, unique and/or high-risk issues” with payouts in the range of $150 to $15,000.
“The amount,” Martinez said, “will be determined by a clear system based on a set of defined elements that capture the severity of the issue.”
Martinez also said the new policy will be released by Oct. 31, and that any payouts will be done retroactively to July 1. Previously, Martinez had personally acknowledged submissions with a Yahoo T-shirt—which he said he personally paid for—as well as a personal letter to the researcher certifying the find.
“If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program,” Martinez said. “This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt.”
Martinez said the new Yahoo reporting program will concentrate on improving the reporting process for researchers via a new website, which he said should improve Yahoo’s internal validation and remediation processes. Once an issue is validated, Martinez said the researcher will be contacted within 14 days of submission and will provide that person with a formal recognition via email or written letter and the researcher will also be recognized in some sort of “Hall of Fame,” he said.
Image from Flickr, Joanne Escober