I probably receive over 600 e-mails a day. Fortunately I have filters, and have become adroit at both speed reading and hitting delete. However, I do read at a minimum the subject lines of everything, and occasionally something really jumps out. Such is the case with an e-mail I received from security firm High-Tech Bridge. They had me with the headline and I read on. In fact, the content was so intriguing it seemed worthy of sharing.
This is more story than news, but what a story. It is a story with an important message.
Headquartered in Geneva, Switzerland, High-Tech Bridge is part of the “ethical hacking” community. It is a global provider of security services that touch on such areas as penetration testing, security auditing and computer crime investigation.
Based on headlines and anecdotal posts, the folks at High-Tech Bridge were curious about finding answer to the question, “How good are bounty programs?” In case you are unfamiliar, many companies increasingly rely on outsiders to report vulnerabilities in their applications and websites. Think of this as crowd-sourcing security alerts, but with something for your efforts. As we shall see below it is that something that is a source of concern.
By the way, if you are interested in bounty programs, check out Bug Bounty Programs. There might be some extra cash in it if you are good at exposing problems.
Image via Shutterstock
A tale of inattention and value under appreciated
Interested in testing how well Bug Bounty programs work by seeing how quickly security vulnerabilities on well-known sites could be found and how the recipient of a vulnerability notification would react, High-Tech Bridge decided to kick the tires of Yahoo. Their reasoning makes sense. Yahoo processes the sensitive information of millions of users and, in theory, follows industry best-practices and encourages security researchers to report discovered vulnerabilities:
“If you are a member of the security community and need to report a technical vulnerability, contact: firstname.lastname@example.org.”
What follows is the High-Tech Bridge narrative on their not so perfect adventure.
On Wednesday Sept. 18, 2013 and using nothing more than a Firefox Web browser, the first XSS vulnerability was found in just 45 minutes. It was a classic reflected XSS vulnerability affecting the marketingsolutions.yahoo.com domain, which was immediately reported to Yahoo. Yahoo’s speed of response was laudable, a reply was received in less than 24 hours but, the response was disappointing:
“Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.”
Obviously the reply didn’t provide any evidence that the vulnerability had been reported already.
The team continued its research on the following Sunday evening (Sept. 22). By Monday Sept. 23 the Yahoo Security Team was notified of three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains. Each of the vulnerabilities could compromise any @yahoo.com e-mail user’s account – all that would be required was that the user, while logged-in to Yahoo, click on a specially crafted link received in an e-mail.
This time Yahoo took 48 hours to reply. Yahoo warmly thanked High-Tech Bridge for reporting the vulnerabilities and offered a bounty… $12.50 per vulnerability. This amount was given as a discount code that can only be used in the Yahoo Company Store, which sells Yahoo’s corporate t-shirts, cups, pens and other accessories. At this point, the High-Tech Bridge team decided to hold off on any further research for Yahoo.
Ilia Kolochenko, High-Tech Bridge CEO, says, “Yahoo should probably revisit its relations with security researchers. Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price. Nevertheless, money is not the only motivation of security researchers. This is why companies like Google efficiently play the ego card in parallel with much higher financial rewards and maintain a ‘Hall of Fame’ where all security researchers who have ever reported security vulnerabilities are publicly listed. If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.”
Brian Martin, president of Open Security Foundation, comments on the experiment: “Vendor bug bounties are not a new thing. Recently, more vendors have begun to adopt and appreciate the value it brings their organization, and more importantly their customers. Even Microsoft, who was the most notorious hold-out on bug bounty programs realized the value and jumped ahead of the rest, offering up to $100,000 for exploits that bypass their security mechanisms. Other companies should follow their example and realize that a simple ‘hall of fame,’ credit to buy the vendor's products, or a pittance in cash is not conducive to researcher cooperation. Some of these companies pay their janitors more money to clean their offices, than they do security researchers finding vulnerabilities that may put thousands of their customers at risk.”
It should be noted that all four XSS vulnerabilities reported by High-Tech Bridge have since been patched by Yahoo.
We all know that the bottom line of the Internet is trust. It is hard to gain, easy to use and extremely difficult to reestablish. It is also no secret that perception can become reality. Indeed, as the quotes above show, the reality in this case creates the perception that Yahoo is not that into protecting you. If it were, it would respond faster and reward bigger. The message to users of Yahoo services, particularly since information such as the above has a nasty habit of going viral is Yahoo does not value the handling of your security to the same degree as those whom it hopes to effectively compete against.
In fact, the lesson could not be clearer: if you want the help of others (which you should, given the complexities of managing online risks in a world where non-ethical hackers are becoming more sophisticated and emboldened), then help cannot and should not be rewarded with what is insulting. All paying a pittance, which amounts to nothing based on my own visit to the Yahoo store, does is cause those who might be valuable to your keeping trust with your customers to turn away.
Nobody likes to be “buggy-whipped.”
Edited by Alisen Downey