

Security researchers rewarded $12.50 voucher to buy Yahoo T-shirt - Titanous
http://grahamcluley.com/2013/09/serious-yahoo-bug/

======
spicyj
If Yahoo! had just sent the researchers t-shirts directly with thank-you
notes, perhaps they still would have been disappointed with the reward but I
doubt they (or we) would be as offended.

Funny how actual cash evokes different reactions.

~~~
jessaustin
Yahoo store credit is not "actual cash". b^)

~~~
spicyj
Oops, true. I forgot about that.

------
pflats
I'm sure the intention was something like, "Hey, we should send them a thank
you package. T-shirts? But wait, we don't know their size. Oh, hang on, I have
an idea!"

And then they end up looking like jerks.

------
uncoder0
What's XSS an usually worth? I'm guessing it varies by product and company
but, I would venture to say about $500-1000.

Really puts the $12.50 in company store credit into perspective.

~~~
theboss
It depends on severity but I believe at google the minimum is $1337.

With that being said, $12.50 is $12.50 more than PayPal's. I don't know anyone
who has reported a vulnerability to PayPal that has actually received a
reward.

~~~
mythealias
I wonder if not paying would be better than paying a small amount.

~~~
agwa
Definitely. Paying such a small amount, especially in credit that can only be
redeemed in a company store, is patronizing and gets you mentioned in a
negative light on Hacker News. If you don't pay, you're just like one of the
many companies that doesn't have a bounty program.

Edit: this reminds me of the "eBay goodies" offered to researcher Neal Poole
in return for delaying disclosure of a vulnerability
[[https://nealpoole.com/blog/2013/03/bad-changes-to-ebays-
resp...](https://nealpoole.com/blog/2013/03/bad-changes-to-ebays-responsible-
disclosure-policy/)]. I would probably not have remembered that story if not
for that "eBay goodies" line, just as I probably won't forget this story
thanks to the screenshot of Yahoo-branded socks in the company store.

~~~
StavrosK
I agree with you. This reminds me of a 4-hour delay I had while flying with
Delta, where they gave me a food voucher for _two and a half dollars_ as an
apology (only redeemable at the airport cafeteria, where the smallest sandwich
cost $5). Now I will hate them for ever.

I believe that not paying is better than paying little, because if you don't
pay I can at least consider that you owe me one. Giving me a pittance removes
the obligation from you for almost nothing. Even though this isn't very
applicable to companies, I think that's the reason why we consider it
insulting.

------
dromidas
Yahoo CEO rename to Katherine Janeway. Fuck up seriously in the first episode,
and now she's going to have to spend the rest of her time cleaning up her
mess.

------
leggo2m
Welp, it's better than being criminally prosecuted!

------
eli
I don't think reporting security bugs is a great way to become rich. If you
_expect_ to be compensated you should convince Yahoo to hire you.

Is this worse than the many companies that have never given anything to any
reporter?

~~~
nly
Good security practices are something that have to be woven into many
departments: design, development, testing, etc. Most of the researchers who
report these kinds of bugs are more like hunters than zoo keepers. They wan't
to go where there's fresh game, and they specialise in shooting holes in shit.
If you put them in a zoo, their skills are going to be wasted.

Besides, I suspect working as freelance l33t hacker is more profitable and
gets you laid at parties.

------
nly
Source:

[https://www.htbridge.com/news/what_s_your_email_security_wor...](https://www.htbridge.com/news/what_s_your_email_security_worth_12_dollars_and_50_cents_according_to_yahoo.html)

------
fmavituna
Times have changed. Back in the day all we hoped was not getting sued for
reporting a bug and now we are actually defaming companies who are not giving
away good enough bounties.

It's great to see that we came to this point.

------
wesleyac
Personally, I'd _prefer_ a little "Thank You" on some Yahoo site.

$12.50 seems insulting. "Oh, your time is worth $12.50 to us, but thanks for
disclosing a huge XSS issue."

------
rdl
I wonder if this is why I've been getting so much spam from Yahoo accounts
(and actually sent from Yahoo's servers, from legitimate accounts).

