If you are a skilled security researcher and you uncover and report a Microsoft bug or vulnerability, you might get up to $100,000. With Facebook, you might get $12,500, and with Google, the reward could be $20,000.
And Yahoo? In Yahoo's case, you get a $25 voucher that can only be used to buy company swag, like a T-Shirt, a few light-up ice cubes, or some "poopy bag dispensers" — though some of these don't even sport the new Yahoo logo.
See also: Video Explains How to Hack Apple's Fingerprint Scanner
That's the paltry reward that Yahoo offered to a Swiss security researcher who uncovered and responsibly reported three serious vulnerabilities on Sept. 23.
"Initially I thought it was a joke," Ilia Kolochenko, the CEO of security firm High Tech Bridge, told Mashable.
If exploited by malicious hackers, the bugs could potentially allow them to take over any Yahoo email account by tricking a logged-in user into clicking a specially crafted link, according to a blog post published by High Tech Bridge, the security firm who found the bugs.
In recent years, so-called bug bounty programs have become very popular among Silicon Valley companies. In essence, these programs aim to reward responsible security researchers or hackers who find bugs in products or software and report them to the affected companies, which in turn reward them. Google, Facebook, and Microsoft all have such programs. Yahoo doesn't, although it encourages researchers to report vulnerabilities.
"If you are a member of the security community and need to report a technical vulnerability, contact: security@yahoo-inc.com," the Yahoo security policies state.
With that in mind, Kolochenko set out to find out more about how exactly Yahoo deals with these kind of reports.
"The goal of the experiment was very simple: to find out how quickly security vulnerabilities on well-known websites such as Yahoo can be found and to see how the company reacts to a vulnerability notification," the firm wrote in its blog post.
Kolochenko started working on this experiment on Sept. 18, and, by accident, he quickly found one bug and reported it. But the Yahoo security team responded that the vulnerability had already been flagged.
Then, on Sept. 22, while stuck in an airport lounge for six hours, he found three serious cross-site scripting (XSS) vulnerabilities affecting the domains ecom.yahoo.com and adserver.yahoo.com. These bugs could have been used to hack into Yahoo email accounts, according to Kolochenko.
When he reported them, Yahoo acknowledged two of the three bugs and thanked him, offering a $25 (or $12.50 per bug) discount voucher to be used on the Yahoo Company Store.
While Kolochenko said he "was not doing the research for money," he found the amounts "quite surprising."
"I didn't complain," he told Mashable via email. "[I] just asked them if they have a 'Honor Roll' and if they really pay these amounts."
Facebook, in comparison, recently paid $12,500 to a hacker who found a bug that allowed him to delete any user's pictures (it must be noted, though, that the social network also recently failed to reward another hacker who broke into Mark Zuckerberg's Timeline.)
Kolochenko decided to "hold off on further research," and needless to say, he was ultimately disappointed.
"Yahoo should probably revise their relations with security researchers," Kolochenko, High Tech Bridge's CEO, was quoted as saying in the blog post. "Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."
Graham Cluley, a security expert and blogger, also criticized Yahoo in a blog post.
"Of course, money (and t-shirts) shouldn’t be the only motivation for reporting a security vulnerability," he wrote. "But such a risible reward is unlikely to win Yahoo any friends and could — if anything — make it less likely that the site will gain the assistance of white-hats in future."
Yahoo hasn't responded to Mashable's requests for comment, but High Tech Bridge reports that the bugs were all patched by Yahoo when the security firm disclosed the incident in its blog post.
Asked if he would redeem the $25 voucher — which could he could use to buy a Yahoo volleyball, a purple rubber duck, or, perhaps Yahoo's gourmet jelly beans — Kolochenko simply responded: "No."
Image: Flickr, Tamar Winberg
অনলাইনে ছড়িয়ে ছিটিয়ে থাকা কথা গুলোকেই সহজে জানবার সুবিধার জন্য একত্রিত করে আমাদের কথা । এখানে সংগৃহিত কথা গুলোর সত্ব (copyright) সম্পূর্ণভাবে সোর্স সাইটের লেখকের এবং আমাদের কথাতে প্রতিটা কথাতেই সোর্স সাইটের রেফারেন্স লিংক উধৃত আছে ।