Having a bug bounty doesn't mean you take security seriously

Yahoo pays US$12.50 for a cross-site scripting vulnerability that could compromise email addresses. Does that mean it doesn't take security seriously? Not necessarily.
Written by Michael Lee, Contributor

If some guy walked into our office and offered started to write my articles for me, I'd be somewhat appreciative, if not worried for my job security. But if he then started asking the company for money, I'm pretty sure, and hopeful, that he'd be politely told to go through the regular channels and apply for a job.

Depending on how the industry is going, maybe my employer might keep him on as a freelancer, but given they have a paid-for resource (me!) they'll either thank him for his time and tell him to move along, or charge him some pitiful rate so as to make it worthwhile for the company.

I'm not trying to get someone else to do my job (unless I've outsourced it to China or India), so why am I telling you this?

Because it's exactly what happens when security researchers submit vulnerabilities and then get all angry when they receive a pittance for pay.

Take the perspective of companies like Cisco, IBM, Symantec, EMC and Huawei. These are large companies that arguably have a large investment in security if they are not security companies themselves. But they also do not pay or compensate security researchers that alert them to vulnerabilities.

And why should they?

If they are already investing in a security team which is meant to be catching these issues, then why pay someone else, especially when it's hard enough to get a job at these places? Yes, it's nice to have another set of eyes on the issue, and yes, outsider help is appreciated, but outsourcing this work is not sound business logic.

That said, most organisations that have a heart will realise that whether the researcher is a whitehat, greyhat or bluehat (as Microsoft puts it), they aren't necessarily an arsehat. A word of recognition, a t-shirt in the mail, a nicely worded email are often all that some researchers are looking for. It is the equivalent of that guy being thanked and politely turned away.

When Yahoo sent researchers from High-Tech Bridge US$12.50 each for two cross-site scripting vulnerabilities, I don't think it did anything wrong. I'm not about to applaud mediocrity, but they are doing more than IBM and the like.

But it is wrong to believe that Yahoo thinks a cross-site scripting vulnerability is only worth US$12.50 because it assumes that Yahoo's entire security relies completely on the reports of volunteers. That may actually be the case, if Yahoo simply doesn't care about security, but no one really has any idea what happens on Yahoo's own security teams. There appears to be a huge misconception that the size and presence of a bug bounty is proportionate to an organisation's attitude towards security.

On one hand, a startup like Etsy has a dedicated security team and offers bounties starting at US$500 across it's site, API and mobile applications — pretty much anywhere. On the other, Samsung has a US$1000 bug bounty, but it's limited specifically to television sets launched in the past two years — an extremely limited scope.

Etsy clearly has a strong security stance, even if its bug bounty is lower than Samsung's, but there's no telling what goes on at Samsung, or if the limited scope will even mean anything significant gets reported. The bottom line is that despite similar rewards, there's no telling what Samsung is thinking.

However, the researchers from High-Tech Bridge did do the right thing when they decided to hold off on their research after learning Yahoo pays a pittance. If Yahoo is serious about security and doesn't need the help of researchers, then it's not worth wasting time. There are many more organisations that would be happy to pay researchers more for their time.

But if Yahoo isn't serious about security and it really is in such a bad state that it relies on volunteered reports, perhaps the best thing to do is watch a company crash and burn. It's a jungle out there, and only the strongest survive.

Update (October 10, 2012): Director of Yahoo Paranoids (its security division) Ramses Martinez has responded, revealing he often sent the US$12.50 out of his own pocket and was not official company policy. It will soon have an official policy in place with rewards between US$150 and US$15,000 that will be back-dated to July 1, 2013. 

Editorial standards