"This wouldn't happen if Yahoo had a Vulnerability Reward Program"
As much as I support these kinds of programs (https://nealpoole.com/blog/responsible-disclosure-programs/), that's a false dichotomy. Some companies have responsible disclosure policies or vulnerability reward programs. Some companies don't.
Anecdotally, the companies that do have programs don't inherently respond more quickly or handle reports better (ie: https://nealpoole.com/blog/2013/04/experiences-with-the-yand..., https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my...). In contrast, companies that don't have programs may still be very responsive and willing to work with researchers; I reported issues to GitHub, Etsy, and Facebook before their respective programs were in place and they always responded quickly and effectively.
It comes down to the people who focus on security at the company and the way in which security is prioritized. If your company doesn't value and prioritize security, a responsible disclosure program won't make anyone's life easier.
In that sense, I do think that companies can and should do a better job of working with security researchers, regardless of whether they have a responsible disclosure program or vulnerability reward program in place. If a company takes security seriously, it should make it easy for researchers to report vulnerabilities. Researchers shouldn't feel that their reports are being sent into a black hole: if they do, they'll be less likely to spend their time reporting issues in the future.
Even having an email address to send reports to would be good for a lot of websites. I sometimes don't bother reporting these issues for fear of being threatened with legal action.
you can send security reports about yahoo to security@yahoo-inc.com. All of them are addressed, and you won't be threatened with legal action. If you're lucky you might get a T-shirt.
PS: I'm an ex-paranoid. things might have changed since I left, but I'm pretty sure they'll still listen to reports.
Feels just a little entitled. For the longest time hackers would notice an issue on a service they used, and out of respect for the service and concern for their own data, they would report. Threats of legal action would quickly follow, so hackers stopped reporting.
Now a lot of the major players have policies promising no legal action for responsible disclosure, some even have rewards (whether monetary or acknowledgement) for the hackers.
In this case, a response was given, no legal action was threatened, and the bug was quickly fixed. Isn't this the goal? Looks like Yahoo is doing their job here.
Well, it sounds like the author feels entitled to a 'thank you'.
Trouble is, it's not necessarily in the company's interest to acknowledge a past vulnerability in writing. Security team could've called him though; no paper trail, and it would've felt very authentic and personal.
Acknowledgement, I agree, is required at least. The OP got that from a bot. Monetary is always nice, but reputation...or just an ACTUAL person on the dev team saying "thank you for your help," is better than NOTHING as assumed in this article.
actually that wasn't a bot. the volume of security reports is too low to require an automated task. that mail was probably sent out by someone from the security team. It is a form letter, but that's for consistency across responses.
It's not self-entitlement, the OP is not obligated to help Yahoo! and simply states that there will be no more work for free.
It's in Yahoo!'s incentive to provide whitehats incentive, because people with malicious intent already have incentive and Yahoo! should want legitimate security research types to find vulnerabilities before attackers do.
I agree with Nils that talking to bots sucks! These are big issues, and it feels lame if you don't think the issue is being given the attention it deserves (even if that attention is directed at you).
There's no problem putting it into a support ticket system - that's how issues get tracked and Alice going on holiday means things get followed up. But anything security related should be escalated immediately, skipping the typical CS levels. You can't afford to waste the (limited) time/effort of people who can a) help you and b) embarrass you very publicly, by making them fight scripted support responses and non-technical CS staff.
Each & every website on cloud is vulnerable against 0 day vulnerability which keeps popping on and on ....these days cloud security is being ignored at such a level where 0 day threats are being sold in gray market at much higher pricing, then one will make from some bounty programs, we all know how zendesk got compromised :-(
as per me there should be some beginning to make atleast world's top 10,000 site hack proof ? what you guys have to say here...
I think that when you find a bug, you are obliged to all the users using the service to report it, really arrogant not to report any more bugs and wait until the wrong dude finds it...
Yahoo really need to pull up their socks. They have already faced 4 major security breaches since last year. The one before this was in 2013 March end.
I agree that Yahoo should allocate funds for vulnerability testing!
I've gotten in trouble for finding loopholes in some reputable companies' setups, HAD I KNOWN that vulnerability rewards existed (I only found out recently)...my hat would've never been black. My ignorance is laughable, because I've never really been in the hacker scene...just look at my handle (quacker). BTW: time to start emailing companies :)
It's not possible for these programs to "create" problems, only to expose them. While many companies like to take the "la la la, I'm not listening!" approach to security, it doesn't actually make you more secure.
I don't think this analogy works. With this analogy, they'd have to be adding bugs to the code and then "finding" them to get the reward. In this case, having a reward would most likely result in more people specifically looking for bugs, but they'd be looking for them so that they could report them and get money for it. It's better to have to pay out a bug bounty than have a malicious entity find and exploit the bug later.
As much as I support these kinds of programs (https://nealpoole.com/blog/responsible-disclosure-programs/), that's a false dichotomy. Some companies have responsible disclosure policies or vulnerability reward programs. Some companies don't.
Anecdotally, the companies that do have programs don't inherently respond more quickly or handle reports better (ie: https://nealpoole.com/blog/2013/04/experiences-with-the-yand..., https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my...). In contrast, companies that don't have programs may still be very responsive and willing to work with researchers; I reported issues to GitHub, Etsy, and Facebook before their respective programs were in place and they always responded quickly and effectively.
It comes down to the people who focus on security at the company and the way in which security is prioritized. If your company doesn't value and prioritize security, a responsible disclosure program won't make anyone's life easier.
In that sense, I do think that companies can and should do a better job of working with security researchers, regardless of whether they have a responsible disclosure program or vulnerability reward program in place. If a company takes security seriously, it should make it easy for researchers to report vulnerabilities. Researchers shouldn't feel that their reports are being sent into a black hole: if they do, they'll be less likely to spend their time reporting issues in the future.