If Yahoo! had just sent the researchers t-shirts directly with thank-you notes, perhaps they still would have been disappointed with the reward but I doubt they (or we) would be as offended.
I'm sure the intention was something like, "Hey, we should send them a thank you package. T-shirts? But wait, we don't know their size. Oh, hang on, I have an idea!"
It depends on severity but I believe at google the minimum is $1337.
With that being said, $12.50 is $12.50 more than PayPal's. I don't know anyone who has reported a vulnerability to PayPal that has actually received a reward.
Definitely. Paying such a small amount, especially in credit that can only be redeemed in a company store, is patronizing and gets you mentioned in a negative light on Hacker News. If you don't pay, you're just like one of the many companies that doesn't have a bounty program.
Edit: this reminds me of the "eBay goodies" offered to researcher Neal Poole in return for delaying disclosure of a vulnerability [https://nealpoole.com/blog/2013/03/bad-changes-to-ebays-resp...]. I would probably not have remembered that story if not for that "eBay goodies" line, just as I probably won't forget this story thanks to the screenshot of Yahoo-branded socks in the company store.
I agree with you. This reminds me of a 4-hour delay I had while flying with Delta, where they gave me a food voucher for two and a half dollars as an apology (only redeemable at the airport cafeteria, where the smallest sandwich cost $5). Now I will hate them for ever.
I believe that not paying is better than paying little, because if you don't pay I can at least consider that you owe me one. Giving me a pittance removes the obligation from you for almost nothing. Even though this isn't very applicable to companies, I think that's the reason why we consider it insulting.
I seem to remember having read that when something is done for free it is handled by the brains "maintain reputation and make friends" system, while when money is involved it is handled by the "make a profit, don't be screwed" system. My google-fu is failing though.
Well, what an XSS is worth on the black market is not necessarily the same as what companies offer to researchers who report vulnerabilities. Many companies will offer nothing more than a "Thank you, so-and-so" somewhere on their site or in the release notes for the fix.
I think the problem with Yahoo's response is that it looks like they are actively being cheapskates. Almost universally, cheap is worse than no-money-involved. A "thank you" might be appreciated, a reasonable monetary reward will probably be appreciated, and even sending some free swag might read as a warm gesture, but offering a $12 store credit pretty explicitly says "I value this very little."
Yahoo CEO rename to Katherine Janeway. Fuck up seriously in the first episode, and now she's going to have to spend the rest of her time cleaning up her mess.
Good security practices are something that have to be woven into many departments: design, development, testing, etc. Most of the researchers who report these kinds of bugs are more like hunters than zoo keepers. They wan't to go where there's fresh game, and they specialise in shooting holes in shit. If you put them in a zoo, their skills are going to be wasted.
Besides, I suspect working as freelance l33t hacker is more profitable and gets you laid at parties.
Times have changed. Back in the day all we hoped was not getting sued for reporting a bug and now we are actually defaming companies who are not giving away good enough bounties.
Funny how actual cash evokes different reactions.