Bug bounties from Google and Facebook regularly clear thousands of dollars for a single, high-profile bug. Yahoo finally has joined the game, also for four figures — but with a different decimal place.
The security firm High Tech Bridge set out to see what Yahoo would pay for disclosing bugs discovered on its site, since the company hadn’t stated what they were worth but did say that it encouraged researchers to report bugs.
After reporting three cross-site scripting (XSS) vulnerabilities that could compromise a user’s account with what High Tech Bridge described as basic phishing techniques, Yahoo responded with its thanks within 48 hours. The research firm was rewarded with $12.50 per vulnerability, significantly lower than Facebook’s or Google’s lowest bounties, which come in at $500 and $100 for the lowest priority bugs, respectively.