STE WILLIAMS

Supercharge your infrastructure

Smartphone feature fatigue is upon us, with even the Galaxy S4’s eyeball tracker and the iPhone 5S’ fingerprint reader capable only of inducing yawns of grudging appreciation.

Enter Filipino smartmobe-maker my|phone, its new Iceberg model and a new feature called Tara, aka the “Theft Apprehension and Asset Recovery Application”.

TARA will be familiar to anyone familiar with the Find My iDevice features of Apple’s iCloud, or Android’s Device Manager as it allows remote locking and erasure of a phone’s contents.

The Iceberg takes things a step further by also emitting what its manufacturer calls “a loud alarm” that repeats the word “Magnanakaw” endlessly. Magnanakaw is Tagalog for “thief” or “burglar”. Tagalog is the native language of The Philippines and is spoken by most of the nation’s 98 million people, although it is the first language for only one quarter.

Beyond TARA, the Iceberg looks interesting for other reasons. The phablet boasts a 5.7” screen, Gorilla Glass 2, a a 1.2 GHz Quad-Core MediaTek’s MT6589 CPU, a 12MP main camera, 16GB of storage and a gig of RAM.

All that costs just under 12,000 Philippine Pesos – just $US275 or £175.

That price doubtless plays well in the Philippines but would also make the Icerberg competitive beyond the nation’s shores for those brave enough to go without support. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/im_being_stolen_squawks_filipino_smartmobe/

5 ways to prepare your advertising infrastructure for disaster

Yahoo! has quickly changed its bug bounty program after being ridiculed for handing just $US12.50 to researchers who found a nasty bug.

The purple palace has now done the decent thing – pop out a blog post offering decent amounts of cash for those who help it not to crash.

The author of the post is one Ramses Martinez, the director of something called “Yahoo Paranoids”, a name we’ll assume is an ever-so-ironically-cool Yahoo! way of saying “security department”.

Martinez details his embarrassment at the $12.50 reward and its deliver as branded tat, because Yahoo! “recently decided to improve the process of vulnerability reporting.” Just how recently isn’t revealed, but it is implied Yahoo! knew its bug bounty scheme was off the pace before the incident linked to above.

One “inbox … full of angry email from people inside and out of Yahoo” later Martinez says Yahoo! feels ready to share its plans with the world.

The details are listed on the post but amount to a promise to make bug reporting easier, implement a faster assessment and response process, fix things faster and send proper respect to researchers who find bugs.

There’s more money to splash, too. Martinez explains just how much as follows:

“Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 – $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.”

The new policy is promised to be with us by the end of October, but will be backdated to July 1st. Folks who found nasty bugs after the latter date will be paid under the new scheme. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/yahoo_finds_cash_behind_sofa_for_proper_bug_bounties/

5 ways to prepare your advertising infrastructure for disaster

Yahoo! has quickly changed its bug bounty program after being ridiculed for handing just $US12.50 to researchers who found a nasty bug.

The purple palace has now done the decent thing – pop out a blog post offering decent amounts of cash for those who help it not to crash.

The author of the post is one Ramses Martinez, the director of something called “Yahoo Paranoids”, a name we’ll assume is an ever-so-ironically-cool Yahoo! way of saying “security department”.

Martinez details his embarrassment at the $12.50 reward and its deliver as branded tat, because Yahoo! “recently decided to improve the process of vulnerability reporting.” Just how recently isn’t revealed, but it is implied Yahoo! knew its bug bounty scheme was off the pace before the incident linked to above.

One “inbox … full of angry email from people inside and out of Yahoo” later Martinez says Yahoo! feels ready to share its plans with the world.

The details are listed on the post but amount to a promise to make bug reporting easier, implement a faster assessment and response process, fix things faster and send proper respect to researchers who find bugs.

There’s more money to splash, too. Martinez explains just how much as follows:

“Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 – $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue.”

The new policy is promised to be with us by the end of October, but will be backdated to July 1st. Folks who found nasty bugs after the latter date will be paid under the new scheme. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/yahoo_finds_cash_behind_sofa_for_proper_bug_bounties/

Supercharge your infrastructure

Smartphone feature fatigue is upon us, with even the Galaxy S4’s eyeball tracker and the iPhone 5S’ fingerprint reader capable only of inducing yawns of grudging appreciation.

Enter Filipino smartmobe-maker my|phone, its new Iceberg model and a new feature called Tara, aka the “Theft Apprehension and Asset Recovery Application”.

TARA will be familiar to anyone familiar with the Find My iDevice features of Apple’s iCloud, or Android’s Device Manager as it allows remote locking and erasure of a phone’s contents.

The Iceberg takes things a step further by also emitting what its manufacturer calls “a loud alarm” that repeats the word “Magnanakaw” endlessly. Magnanakaw is Tagalog for “thief” or “burglar”. Tagalog is the native language of The Philippines and is spoken by most of the nation’s 98 million people, although it is the first language for only one quarter.

Beyond TARA, the Iceberg looks interesting for other reasons. The phablet boasts a 5.7” screen, Gorilla Glass 2, a a 1.2 GHz Quad-Core MediaTek’s MT6589 CPU, a 12MP main camera, 16GB of storage and a gig of RAM.

All that costs just under 12,000 Philippine Pesos – just $US275 or £175.

That price doubtless plays well in the Philippines but would also make the Icerberg competitive beyond the nation’s shores for those brave enough to go without support. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/im_being_stolen_squawks_filipino_smartmobe/

The annual Virus Bulletin conference starts on Wednesday in Berlin, Germany.

Numerous Sophos researchers will be giving papers this year, and with two Naked Security regulars in attendance (Chester Wisnieweski and John Hawes), we hope to bring you a blow-by-blow account of who says what, and why, as the conference unfolds.

Even though the event hasn’t started, however, I’d like to tell you about a paper that two of my long-term friends and colleagues from SophosLabs will be presenting.

Vanja Svajcer and Sean McDonald will be presenting a mixture of research, analysis and proposal they’ve written up under the headline Classifying Potentially Unwanted Applications in the mobile environment.

At this point, you’re probably wondering:

• Why a write-up of a talk that hasn’t been given yet?
• Isn’t every application potentially unwanted to someone?

Taking the second question first, you need to know that Potentially Unwanted Applications, or PUAs, are programs that aren’t unequivocally malicious.

Nevertheless, PUAs sail close enough to the metaphorical wind that well-informed system administrators often want to ban them from (or at least to regulate them tightly) on their networks.

Often, security products can’t block this sort of application by default, no matter how reasonable that might seem, for legalistic reasons.

For example, it’s easy to argue that a computer virus – a self-replicating program that spreads without authorisation or control – should be blocked outright.

On the other hand, you can argue that software that isn’t intrinsically illegal, but merely happens to be ripe for abuse, ought to be given the benefit of the doubt, and should be classified somewhere between “known good” and “outright bad.”

Indeed, if you are the vendor of such software – spyware that is sold to monitor children, or to investigate an errant spouse, for example – you might even choose to argue such a matter through the courts.

That’s why most security software has a category of possible threats known as PUAs, or perhaps PUPs (potentially unwanted programs), or Potentially Unwanted Software. (That’s Microsoft’s name, and the acronym proves that at least someone in Redmond has a sense of humour.)

PUAs are programs that some people may want to use, that don’t openly break the law, and yet that many people will want to block.

And now to the second question.

I’m writing about Vanja’s and Sean’s yet-to-happen talk in order to offer you a chance, in the comments below, to pose questions (or blurt out opinions) that I can send to them, as part of helping them with their work.

I’ll pass your comments and questions to them to consider in the “question time” at the end of their talk, thus giving you a chance of having your say from a distance!

After all, most of us aren’t going to be attending the VB 2013 conference (though there is still time to register if you’re in the Berlin area), but we probably have some feelings – perhaps even strong feelings – about PUAs in the mobile ecosystem.

That’s down to adware, one of the mobile world’s biggest sub-categories of PUA.

In Sean’s and Vanja’s own words:

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering mobile potentially unwanted applications?

In mid 2013, there are over 700,000 apps on Google Play and over 800,000 apps on iTunes, with numerous alternative application markets serving their share of Android apps. The major source of income for most of the apps are advertising revenues realised by integrating one or more of advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than in the desktop world… This leads application developers as well as developers of individual advertising frameworks into confusion about which features are acceptable.

Indeed, if you think about it, the appearance of banner ads inside mobile apps seems much more tolerable, and tolerated, than the same sort of thing in desktop applications.

Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee.

(Or there’s a reasonable and modest fee – typically a dollar or three – that will turn the ads off but still reward the developers.)

Vanja’s and Sean’s concerns, if they will forgive me oversimplifying what they have argued, is that the computer security industry would like to be proactive in stamping out aggressive – possibly even dangerous and privacy-sapping – mobile adware behaviour.

At the same time, the security industry doesn’t want to spoil the ad-supported mobile app industry for those who are prepared to play fair.

But where do we draw the line?

Sean and Vanja identify several grades of adware aggression in the mobile world:

• Banner ads. (Appear in ad-sized windows in the app itself, and are visible only in the app.)
• Interstitial ads. (Typically fill the screen temporarily, for example between levels in gameplay.)
• Push or notification ads. (Use the operating system notification area to present their message.)
• Icon ads. (Appear outside the app, even after it exits, typically as home screen icons.)

So, what do you think? How far is too far in the ad-funded mobile ecosystem?

Let us know and we’ll pose your questions and comments from the floor at the Virus Bulletin conference…

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7fFH879eiMQ/

The annual Virus Bulletin conference starts on Wednesday in Berlin, Germany.

Numerous Sophos researchers will be giving papers this year, and with two Naked Security regulars in attendance (Chester Wisnieweski and John Hawes), we hope to bring you a blow-by-blow account of who says what, and why, as the conference unfolds.

Even though the event hasn’t started, however, I’d like to tell you about a paper that two of my long-term friends and colleagues from SophosLabs will be presenting.

Vanja Svajcer and Sean McDonald will be presenting a mixture of research, analysis and proposal they’ve written up under the headline Classifying Potentially Unwanted Applications in the mobile environment.

At this point, you’re probably wondering:

• Why a write-up of a talk that hasn’t been given yet?
• Isn’t every application potentially unwanted to someone?

Taking the second question first, you need to know that Potentially Unwanted Applications, or PUAs, are programs that aren’t unequivocally malicious.

Nevertheless, PUAs sail close enough to the metaphorical wind that well-informed system administrators often want to ban them from (or at least to regulate them tightly) on their networks.

Often, security products can’t block this sort of application by default, no matter how reasonable that might seem, for legalistic reasons.

For example, it’s easy to argue that a computer virus – a self-replicating program that spreads without authorisation or control – should be blocked outright.

On the other hand, you can argue that software that isn’t intrinsically illegal, but merely happens to be ripe for abuse, ought to be given the benefit of the doubt, and should be classified somewhere between “known good” and “outright bad.”

Indeed, if you are the vendor of such software – spyware that is sold to monitor children, or to investigate an errant spouse, for example – you might even choose to argue such a matter through the courts.

That’s why most security software has a category of possible threats known as PUAs, or perhaps PUPs (potentially unwanted programs), or Potentially Unwanted Software. (That’s Microsoft’s name, and the acronym proves that at least someone in Redmond has a sense of humour.)

PUAs are programs that some people may want to use, that don’t openly break the law, and yet that many people will want to block.

And now to the second question.

I’m writing about Vanja’s and Sean’s yet-to-happen talk in order to offer you a chance, in the comments below, to pose questions (or blurt out opinions) that I can send to them, as part of helping them with their work.

I’ll pass your comments and questions to them to consider in the “question time” at the end of their talk, thus giving you a chance of having your say from a distance!

After all, most of us aren’t going to be attending the VB 2013 conference (though there is still time to register if you’re in the Berlin area), but we probably have some feelings – perhaps even strong feelings – about PUAs in the mobile ecosystem.

That’s down to adware, one of the mobile world’s biggest sub-categories of PUA.

In Sean’s and Vanja’s own words:

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering mobile potentially unwanted applications?

In mid 2013, there are over 700,000 apps on Google Play and over 800,000 apps on iTunes, with numerous alternative application markets serving their share of Android apps. The major source of income for most of the apps are advertising revenues realised by integrating one or more of advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than in the desktop world… This leads application developers as well as developers of individual advertising frameworks into confusion about which features are acceptable.

Indeed, if you think about it, the appearance of banner ads inside mobile apps seems much more tolerable, and tolerated, than the same sort of thing in desktop applications.

Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee.

(Or there’s a reasonable and modest fee – typically a dollar or three – that will turn the ads off but still reward the developers.)

Vanja’s and Sean’s concerns, if they will forgive me oversimplifying what they have argued, is that the computer security industry would like to be proactive in stamping out aggressive – possibly even dangerous and privacy-sapping – mobile adware behaviour.

At the same time, the security industry doesn’t want to spoil the ad-supported mobile app industry for those who are prepared to play fair.

But where do we draw the line?

Sean and Vanja identify several grades of adware aggression in the mobile world:

• Banner ads. (Appear in ad-sized windows in the app itself, and are visible only in the app.)
• Interstitial ads. (Typically fill the screen temporarily, for example between levels in gameplay.)
• Push or notification ads. (Use the operating system notification area to present their message.)
• Icon ads. (Appear outside the app, even after it exits, typically as home screen icons.)

So, what do you think? How far is too far in the ad-funded mobile ecosystem?

Let us know and we’ll pose your questions and comments from the floor at the Virus Bulletin conference…

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7fFH879eiMQ/

Today is the start of National Cyber Security Awareness Month (NCSAM), a US initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.

But it isn’t just for those of you in the USA. Everyone, wherever they are, should use this month as a way to get clued up on security, help educate others on how to stay safe online, and spread the security message.

If you’re reading this, you’re probably already pretty clued up on how to use the internet safely. But are your friends? What about your family?

‘Our Shared Responsibility’

That’s the theme this year – so let’s make sure we all do our bit. Get started by reading our three essential tasks you can do to help your friends and family.

And because it’s the 10th anniversary of NCSAM, we’ve come up with 10 security topics that have hit the headlines over the last decade. From the hand-wavingly general to the pointedly specific, it makes an interesting read.

We’ll be writing a lot more about NCSAM over the next month, so stay tuned.

Oh, and to mark the month we’re giving away 5 goody bags!

We’ll be selecting one winner a week from our list of newsletter subscribers to say thanks to our loyal fans.

If you already receive our newsletter you’ll be automatically entered into the draw. And if you’re yet to subscribe and you’d like to be in with a chance of winning, you can sign up here.

We’ll be in touch at the end of the month if you’ve won. Good luck!

Follow @NakedSecurity

Image of gift bag courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IlG5HOJBiCM/

Today is the start of National Cyber Security Awareness Month (NCSAM), a US initiative aimed at making sure everyone has the resources they need to stay safer and more secure online.

But it isn’t just for those of you in the USA. Everyone, wherever they are, should use this month as a way to get clued up on security, help educate others on how to stay safe online, and spread the security message.

If you’re reading this, you’re probably already pretty clued up on how to use the internet safely. But are your friends? What about your family?

‘Our Shared Responsibility’

That’s the theme this year – so let’s make sure we all do our bit. Get started by reading our three essential tasks you can do to help your friends and family.

And because it’s the 10th anniversary of NCSAM, we’ve come up with 10 security topics that have hit the headlines over the last decade. From the hand-wavingly general to the pointedly specific, it makes an interesting read.

We’ll be writing a lot more about NCSAM over the next month, so stay tuned.

Oh, and to mark the month we’re giving away 5 goody bags!

We’ll be selecting one winner a week from our list of newsletter subscribers to say thanks to our loyal fans.

If you already receive our newsletter you’ll be automatically entered into the draw. And if you’re yet to subscribe and you’d like to be in with a chance of winning, you can sign up here.

We’ll be in touch at the end of the month if you’ve won. Good luck!

Follow @NakedSecurity

Image of gift bag courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IlG5HOJBiCM/

Nervous reader, were you unsettled by the recent news that Yahoo’s email address recycling scheme had resulted in new account holders receiving past account owners’ personal details, including passwords and even an invitation to a wedding?

Did you fear that Yahoo might not be applying itself with all due gusto to users’ security, in spite of its having stated that it takes the security and privacy of its users very, very seriously?

Fret not. The exclamation-marked one has proved that it’s devoted to security.

How, you well may ask?

It paid a bug bounty to a security company, for finding a vulnerability that allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and tricking him or her into clicking.

In light of having been paid for that hole, the security company, Switzerland-based High-Tech Bridge, put a price tag on exactly how much Yahoo values their email security.

That would be $12.50 (£7.71).

The company had decided to test how quickly security holes on well-known, heavily trafficked sites such as Yahoo can be found and how the email provider reacts to a vulnerability notice.

Within 45 minutes of starting the research on 18 September, the company had netted a “classic reflected XSS vulnerability”, affecting the marketingsolutions.yahoo.com domain.

High-Tech Bridge speedily reported the bug, and Yahoo speedily replied in less than 24 hours.

Unfortunately, Yahoo was just letting the security outfit know that the bug had already been reported.

Its message:

Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.

The reply didn’t provide the security company with evidence that the vulnerability had already been reported, but OK. Fine.

Its researchers went on poking, and in short order, they found more issues.

In fact, by 22 September, High-Tech Bridge had discovered three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

The company reported the issues on Monday, 23 September, letting Yahoo know that each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by, again, sending a specially crafted link to a logged-in Yahoo user and convincing him/her to click on it.

Yahoo’s response was a bit slower in coming this time around.

Within 48 hours, Yahoo “warmly thanked” High-Tech Bridge and offered to lavish the company with the princely sum of $12.50 reward per one vulnerability.

If your first inclination was like mine, of course, you’d warn High-Tech Bridge: Don’t spend it all in one place, guys!

Unfortunately, they do have to spend it all in one place, because Yahoo isn’t giving them cash, exactly.

Rather, the funds were dispersed as a discount code to spend in the Yahoo Company Store, which sells Yahoo’s corporate swag: t-shirts, cups, Inkjoy Retractable Pens, a 7×9″ mousepad festooned with the image of balloons, or the Yahoo Unisex Baby Set, which features, among other things, an Emoticon Long Sleeve Onesie (6-12 month).

Except the Yahoo Unisex Baby Set actually costs $61.

I’m afraid you’ll have to discover a lot more XSS vulnerabilities to score that Yahoo Company Store item, High-Tech Bridge!

High-Tech Bridge is a tad miffed.

Ilia Kolochenko, High-Tech Bridge CEO, said this:

Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

Of course, money isn’t the only motivation for security researchers, Kolochenko went on to say. Ego is right up there.

That’s why, he said, companies like Google not only pay out much higher financial rewards, but they also maintain a Hall of Fame where all security researchers who have ever reported security vulnerabilities are publicly listed.

He says:

If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

How much more do other companies pay out in bug bounties?

As of July 2013, when Microsoft paid its first bug bounty for a hole in Internet Explorer, Google had paid out about $580,000 over three years for 501 Chrome bugs, and Firefox had paid out about $570,000 over the same period for 190 bugs.

A study [PDF] from the University of California, Berkeley has found that paying bounties to independent security researchers is a better investment than hiring employees to do it.

If you compare bug bounty payouts with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, it’s obvious to see that the savings to a company can be huge.

In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to find vulnerabilities.”

High-Tech Bridge quoted Brian Martin, President of the non-profit Open Security Foundation, who commented on the High-Tech Bridge experiment, noting that some vendors pay their janitors more money to clean their offices than they do to security researchers who find vulnerabilities that could put thousands of their customers at risk.

High-Tech Bridge, for its part, says it’s decided to hold off on further research.

Yahoo, is this what you wanted to encourage with your first bug bounty payout? Security researchers throwing in the towel instead of helping to make your products safer to use?

I hope not.

Readers, what do you think? Do you think that the low payout means that Yahoo likely evaluated the XSS vulnerabilities and didn’t think much of them?

Or is just that the Onesie stock’s running low?

Please let us know your thoughts in the comments below.

Follow @LisaVaas

Follow @NakedSecurity

Image of bug courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GprmPZj6BFY/

Nervous reader, were you unsettled by the recent news that Yahoo’s email address recycling scheme had resulted in new account holders receiving past account owners’ personal details, including passwords and even an invitation to a wedding?

Did you fear that Yahoo might not be applying itself with all due gusto to users’ security, in spite of its having stated that it takes the security and privacy of its users very, very seriously?

Fret not. The exclamation-marked one has proved that it’s devoted to security.

How, you well may ask?

It paid a bug bounty to a security company, for finding a vulnerability that allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and tricking him or her into clicking.

In light of having been paid for that hole, the security company, Switzerland-based High-Tech Bridge, put a price tag on exactly how much Yahoo values their email security.

That would be $12.50 (£7.71).

The company had decided to test how quickly security holes on well-known, heavily trafficked sites such as Yahoo can be found and how the email provider reacts to a vulnerability notice.

Within 45 minutes of starting the research on 18 September, the company had netted a “classic reflected XSS vulnerability”, affecting the marketingsolutions.yahoo.com domain.

High-Tech Bridge speedily reported the bug, and Yahoo speedily replied in less than 24 hours.

Unfortunately, Yahoo was just letting the security outfit know that the bug had already been reported.

Its message:

Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.

The reply didn’t provide the security company with evidence that the vulnerability had already been reported, but OK. Fine.

Its researchers went on poking, and in short order, they found more issues.

In fact, by 22 September, High-Tech Bridge had discovered three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

The company reported the issues on Monday, 23 September, letting Yahoo know that each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by, again, sending a specially crafted link to a logged-in Yahoo user and convincing him/her to click on it.

Yahoo’s response was a bit slower in coming this time around.

Within 48 hours, Yahoo “warmly thanked” High-Tech Bridge and offered to lavish the company with the princely sum of $12.50 reward per one vulnerability.

If your first inclination was like mine, of course, you’d warn High-Tech Bridge: Don’t spend it all in one place, guys!

Unfortunately, they do have to spend it all in one place, because Yahoo isn’t giving them cash, exactly.

Rather, the funds were dispersed as a discount code to spend in the Yahoo Company Store, which sells Yahoo’s corporate swag: t-shirts, cups, Inkjoy Retractable Pens, a 7×9″ mousepad festooned with the image of balloons, or the Yahoo Unisex Baby Set, which features, among other things, an Emoticon Long Sleeve Onesie (6-12 month).

Except the Yahoo Unisex Baby Set actually costs $61.

I’m afraid you’ll have to discover a lot more XSS vulnerabilities to score that Yahoo Company Store item, High-Tech Bridge!

High-Tech Bridge is a tad miffed.

Ilia Kolochenko, High-Tech Bridge CEO, said this:

Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

Of course, money isn’t the only motivation for security researchers, Kolochenko went on to say. Ego is right up there.

That’s why, he said, companies like Google not only pay out much higher financial rewards, but they also maintain a Hall of Fame where all security researchers who have ever reported security vulnerabilities are publicly listed.

He says:

If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

How much more do other companies pay out in bug bounties?

As of July 2013, when Microsoft paid its first bug bounty for a hole in Internet Explorer, Google had paid out about $580,000 over three years for 501 Chrome bugs, and Firefox had paid out about $570,000 over the same period for 190 bugs.

A study [PDF] from the University of California, Berkeley has found that paying bounties to independent security researchers is a better investment than hiring employees to do it.

If you compare bug bounty payouts with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, it’s obvious to see that the savings to a company can be huge.

In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to find vulnerabilities.”

High-Tech Bridge quoted Brian Martin, President of the non-profit Open Security Foundation, who commented on the High-Tech Bridge experiment, noting that some vendors pay their janitors more money to clean their offices than they do to security researchers who find vulnerabilities that could put thousands of their customers at risk.

High-Tech Bridge, for its part, says it’s decided to hold off on further research.

Yahoo, is this what you wanted to encourage with your first bug bounty payout? Security researchers throwing in the towel instead of helping to make your products safer to use?

I hope not.

Readers, what do you think? Do you think that the low payout means that Yahoo likely evaluated the XSS vulnerabilities and didn’t think much of them?

Or is just that the Onesie stock’s running low?

Please let us know your thoughts in the comments below.

Follow @LisaVaas

Follow @NakedSecurity

Image of bug courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GprmPZj6BFY/