Currently, more and more companies are looking to external security researchers to help identify vulnerabilities and weaknesses in their applications through Bug Bounty Programs. These programs are not without their problems; Facebook’s Bug Bounty program is a case in point and questions about programs run by other companies regularly attract media attention.
The team at High-Tech Bridge wanted to test how well these Bug Bounty programs work by seeing how quickly security vulnerabilities on well-known websites could be found and how the recipient of a vulnerability notification would react. High-Tech Bridge selected Yahoo, which follows industry best-practices and encourages security researchers to report discovered vulnerabilities: “If you are a member of the security community and need to report a technical vulnerability, contact: email@example.com”. Though not in the same league as Facebook and Google, Yahoo handles sensitive information for hundreds of millions of users, so appeared to be a perfect target for the experiment.
On Wednesday 18th September 2013 and using nothing more than a Firefox web browser, the first XSS vulnerability was found in just 45 minutes. It was a classic reflected XSS vulnerability affecting the marketingsolutions.yahoo.com domain, which was immediately reported to Yahoo. Yahoo’s speed of response was laudable, a reply was received in less than 24 hours but, the response was disappointing: “Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future”. Obviously the reply didn’t provide any evidence that the vulnerability had been reported already.
The team continued its research on the following Sunday evening (22nd September). By Monday 23rd September the Yahoo Security Team was notified of three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the vulnerabilities could compromise any @yahoo.com email user’s account – all that would be required was that the user, while logged-in to Yahoo, click on a specially crafted link received in an email.
This time Yahoo took 48 hours to reply. Yahoo warmly thanked High-Tech Bridge for reporting the vulnerabilities and offered a bounty… 12.50 USD (twelve dollars and fifty cents) per vulnerability. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.
Ilia Kolochenko, High-Tech Bridge CEO, says: “Yahoo should probably revisit its relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with much higher financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
Brian Martin, President of Open Security Foundation, comments on the experiment: “Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organization, and more importantly their customers. Even Microsoft, who was the most notorious hold-out on bug bounty programs realized the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass their security mechanisms. Other companies should follow their example and realize that a simple "‘hall of fame"’, credit to buy the vendor's products, or a pittance in cash is not conducive to researcher cooperation. Some of these companies pay their janitors more money to clean their offices, than they do security researchers finding vulnerabilities that may put thousands of their customers at risk.”
At the time of publication all four XSS vulnerabilities reported by High-Tech Bridge had been patched by Yahoo.