
Researchers find critical vulnerabilities in Yahoo site, offered $12.50 per bug - aaronbrethorst
http://www.geekwire.com/2013/researchers-find-critical-vulnerabilities-yahoos-site-offered-1250-bug/
======
orofino
I'm confused. If I put code out into the wild, as a website, as an
application, as... whatever, I'm supposed to compensate people that take it
upon themselves to poke holes in it?

I mean, I appreciate the effort and the time, but just because you run a large
web service or any web service doesn't mean that I should pay you for vulns.
You should receive my gratitude, anything more than that is being extra nice.

Now, is there value in posting that there is some bounty for these things?
Will it result in better, more frequent disclosure and give me the ability to
close holes before someone nefarious comes along? Absolutely. Until I do that,
people shouldn't speculatively be doing research and then retroactively
bitching about how little they got paid.

If you do work like that, please let me know, I've got some projects you can
work on that I might decide to pay you for.

~~~
bcbrown
If you run a large web service, how much is it worth to you for
vulnerabilities to be reported directly to you, versus being sold on the grey
market to someone looking for an exploit?

~~~
gliese1337
That is a question you should be asking when you decide to post bounties. It
is not a question you should be forced to ask after someone goes and finds
vulnerabilities all on their own without your knowledge and then comes to you
and asks for payment unbidden. That is called extortion.

~~~
jfoster
You're right. As a result, white-hats should spend zero time with Yahoo (as
the company in the article has indicated they will). The result of that is
that only black-hats will be finding Yahoo vulnerabilities. Not a good end
result.

What should happen is that Yahoo should have bounties in the first instance.
They don't have to, but not having them leads to a bad outcome for everyone
except black-hats.

------
johngalt
There is something about offering a small amount of money that is worse than
offering none. Like leaving a waiter a penny.

If cash is part of the equation, pay the going rate. If it's not, then
acknowledge that someone did you a favor. Anything in between could be
perceived as an insult/cheap.

~~~
yogo
Yep it says _I 'm a cheap fuck_. It was better for them not to pay and offer
some other form of recognition if they weren't going to shell out some real
money.

------
cvburgess
The comments [1] from a similar article [2] discussed the merits of this
rather thoroughly.

[1]
[https://news.ycombinator.com/item?id=6472965](https://news.ycombinator.com/item?id=6472965)

[2] [http://grahamcluley.com/2013/09/serious-yahoo-
bug/](http://grahamcluley.com/2013/09/serious-yahoo-bug/)

------
aspensmonster
I'm sure there are other marketplaces that could offer a better price...

~~~
hsod
One day you walk outside and you notice your neighbor left his keys on top of
his car.

You knock on his door and let him know, he says "wow thanks for the heads up,
I'll buy you a beer sometime"

You think to yourself, "A beer?? I just saved his car from being stolen--
that's worth a lot more than a beer"

A week later you walk outside and see he did it again. Instead of knocking on
his door, you walk into the alley and tell a local criminal about it in
exchange for 500 dollars.

This is essentially what you're advocating.

~~~
jessaustin
_This is essentially what you 're advocating._

You have constructed an analogy so inapt that it threatens to suck all other
dumb, unenlightening analogies on HN over its event horizon until it forms a
sort of inapt hole from which dumb analogies could never escape.

Which would be a good thing, so good job!

------
dkroy
I don't understand what Yahoo did wrong. They didn't have to pay a cent but
they did. I understand that it is nominal, but it is better than nothing. I
guess just not in the case where the press can get a hold of it.

~~~
magicarp
If they don't compensate security researchers enough, the incentive to find
security holes goes away. People do this for a living.

~~~
zwp
On the flip side, HT Bridge have got way more than 12.50 USD publicity out of
this.

~~~
cortesoft
This seems to be the entire point of the article - publicity for HT Bridge.

------
tarice
Since the article itself only linked to it:

"Each of the discovered vulnerabilities allowed any @yahoo.com email account
to be compromised simply by sending a specially crafted link to a logged-in
Yahoo user and making him/her clicking on it."[1]

[1]
[https://www.htbridge.com/news/what_s_your_email_security_wor...](https://www.htbridge.com/news/what_s_your_email_security_worth_12_dollars_and_50_cents_according_to_yahoo.html)

------
joejohnson
Christopher Soghoian tweeted about this and I thought it was a joke:
[https://twitter.com/csoghoian/status/384799909917884416](https://twitter.com/csoghoian/status/384799909917884416)

------
borlak
Does Yahoo have a public bounty program?

------
dreamdu5t
Yahoo didn't do anything wrong. The researchers did by not selling
vulnerabilities for more.

