

Yahoo, please start with a Vulnerability Reward Program - nilsjuenemann
http://www.nilsjuenemann.de/2013/05/yahoo-please-start-with-vulnerability.html

======
nbpoole
_"This wouldn't happen if Yahoo had a Vulnerability Reward Program"_

As much as I support these kinds of programs
(<https://nealpoole.com/blog/responsible-disclosure-programs/>), that's a
false dichotomy. Some companies have responsible disclosure policies or
vulnerability reward programs. Some companies don't.

Anecdotally, the companies that do have programs don't inherently respond more
quickly or handle reports better (ie:
[https://nealpoole.com/blog/2013/04/experiences-with-the-
yand...](https://nealpoole.com/blog/2013/04/experiences-with-the-yandex-bug-
bounty-program/), [https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-
my...](https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my-ebay-
com/)). In contrast, companies that don't have programs may still be very
responsive and willing to work with researchers; I reported issues to GitHub,
Etsy, and Facebook before their respective programs were in place and they
always responded quickly and effectively.

It comes down to the people who focus on security at the company and the way
in which security is prioritized. If your company doesn't value and prioritize
security, a responsible disclosure program won't make anyone's life easier.

In that sense, I do think that companies can and should do a better job of
working with security researchers, regardless of whether they have a
responsible disclosure program or vulnerability reward program in place. If a
company takes security seriously, it should make it easy for researchers to
report vulnerabilities. Researchers shouldn't feel that their reports are
being sent into a black hole: if they do, they'll be less likely to spend
their time reporting issues in the future.

~~~
simonbrown
Even having an email address to send reports to would be good for a lot of
websites. I sometimes don't bother reporting these issues for fear of being
threatened with legal action.

~~~
bluesmoon
you can send security reports about yahoo to security@yahoo-inc.com. All of
them are addressed, and you won't be threatened with legal action. If you're
lucky you might get a T-shirt.

PS: I'm an ex-paranoid. things might have changed since I left, but I'm pretty
sure they'll still listen to reports.

------
brokentone
Feels just a little entitled. For the longest time hackers would notice an
issue on a service they used, and out of respect for the service and concern
for their own data, they would report. Threats of legal action would quickly
follow, so hackers stopped reporting.

Now a lot of the major players have policies promising no legal action for
responsible disclosure, some even have rewards (whether monetary or
acknowledgement) for the hackers.

In this case, a response was given, no legal action was threatened, and the
bug was quickly fixed. Isn't this the goal? Looks like Yahoo is doing their
job here.

~~~
quackerhacker
Acknowledgement, I agree, is required at least. The OP got that from a bot.
Monetary is always nice, but reputation...or just an ACTUAL person on the dev
team saying "thank you for your help," is better than NOTHING as assumed in
this article.

~~~
bluesmoon
actually that wasn't a bot. the volume of security reports is too low to
require an automated task. that mail was probably sent out by someone from the
security team. It is a form letter, but that's for consistency across
responses.

------
nhm
I just wrote my own post about how, two weeks ago, I could log in to Yahoo
Mail with any password ([http://nick.malcolm.net.nz/2013-05-20-yahoo-imap-
vulnerabili...](http://nick.malcolm.net.nz/2013-05-20-yahoo-imap-
vulnerability.html)).

I agree with Nils that talking to bots sucks! These are big issues, and it
feels lame if you don't think the issue is being given the attention it
deserves (even if that attention is directed at you).

~~~
amatix
There's no problem putting it into a support ticket system - that's how issues
get tracked and Alice going on holiday means things get followed up. But
anything security related should be escalated immediately, skipping the
typical CS levels. You can't afford to waste the (limited) time/effort of
people who can a) help you and b) embarrass you very publicly, by making them
fight scripted support responses and non-technical CS staff.

[edit]: grammar

------
Defencely
Each & every website on cloud is vulnerable against 0 day vulnerability which
keeps popping on and on ....these days cloud security is being ignored at such
a level where 0 day threats are being sold in gray market at much higher
pricing, then one will make from some bounty programs, we all know how zendesk
got compromised :-(

as per me there should be some beginning to make atleast world's top 10,000
site hack proof ? what you guys have to say here...

------
pallavkaushish
Yahoo really need to pull up their socks. They have already faced 4 major
security breaches since last year. The one before this was in 2013 March end.

Somebody is not doing their job right.

------
basdevries
I think that when you find a bug, you are obliged to all the users using the
service to report it, really arrogant not to report any more bugs and wait
until the wrong dude finds it...

------
quackerhacker
I agree that Yahoo should allocate funds for vulnerability testing!

I've gotten in trouble for finding loopholes in some reputable companies'
setups, HAD I KNOWN that vulnerability rewards existed (I only found out
recently)...my hat would've never been black. My ignorance is laughable,
because I've never really been in the hacker scene...just look at my handle
(quacker). BTW: time to start emailing companies :)

Title Suggestion: Yahoo - pay hackers for errors

------
walshemj
No you will just create more problems just like when bounties for rats caused
people to set up rat farms.

~~~
kbuck
I don't think this analogy works. With this analogy, they'd have to be adding
bugs to the code and then "finding" them to get the reward. In this case,
having a reward would most likely result in more people specifically looking
for bugs, but they'd be looking for them so that they could report them and
get money for it. It's better to have to pay out a bug bounty than have a
malicious entity find and exploit the bug later.

~~~
walshemj
Did you not see the Dilbert cartoon where the punch line from Wally is "I just
wrote me a new car".

~~~
eropple
The people towards whom a vulnerability rewards program is targeted aren't the
same people writing the code. That should be obvious.

~~~
walshemj
You don't know much about human nature do you? Insiders would pass details to
trusted friends and get them to make the claim.

Just like quite a few insider trading cases it's the wife/family members that
get the tip and buy the shares.

