<i>"This wouldn't happen if Yahoo had a Vulnerability Reward Program"</i><p>As much as I support these kinds of programs (<a href="https://nealpoole.com/blog/responsible-disclosure-programs/" rel="nofollow">https://nealpoole.com/blog/responsible-disclosure-programs/</a>), that's a false dichotomy. Some companies have responsible disclosure policies or vulnerability reward programs. Some companies don't.<p>Anecdotally, the companies that do have programs don't inherently respond more quickly or handle reports better (ie: <a href="https://nealpoole.com/blog/2013/04/experiences-with-the-yandex-bug-bounty-program/" rel="nofollow">https://nealpoole.com/blog/2013/04/experiences-with-the-yand...</a>, <a href="https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my-ebay-com/" rel="nofollow">https://nealpoole.com/blog/2013/03/csrf-persistent-xss-in-my...</a>). In contrast, companies that don't have programs may still be very responsive and willing to work with researchers; I reported issues to GitHub, Etsy, and Facebook before their respective programs were in place and they always responded quickly and effectively.<p>It comes down to the people who focus on security at the company and the way in which security is prioritized. If your company doesn't value and prioritize security, a responsible disclosure program won't make anyone's life easier.<p>In that sense, I do think that companies can and should do a better job of working with security researchers, regardless of whether they have a responsible disclosure program or vulnerability reward program in place. If a company takes security seriously, it should make it easy for researchers to report vulnerabilities. Researchers shouldn't feel that their reports are being sent into a black hole: if they do, they'll be less likely to spend their time reporting issues in the future.
Feels just a little entitled. For the longest time hackers would notice an issue on a service they used, and out of respect for the service and concern for their own data, they would report. Threats of legal action would quickly follow, so hackers stopped reporting.<p>Now a lot of the major players have policies promising no legal action for responsible disclosure, some even have rewards (whether monetary or acknowledgement) for the hackers.<p>In this case, a response was given, no legal action was threatened, and the bug was quickly fixed. Isn't this the goal? Looks like Yahoo is doing their job here.
I just wrote my own post about how, two weeks ago, I could log in to Yahoo Mail with any password (<a href="http://nick.malcolm.net.nz/2013-05-20-yahoo-imap-vulnerability.html" rel="nofollow">http://nick.malcolm.net.nz/2013-05-20-yahoo-imap-vulnerabili...</a>).<p>I agree with Nils that talking to bots sucks! These are big issues, and it feels lame if you don't think the issue is being given the attention it deserves (even if that attention is directed at you).
Each & every website on cloud is vulnerable against 0 day vulnerability which keeps popping on and on ....these days cloud security is being ignored at such a level where 0 day threats are being sold in gray market at much higher pricing, then one will make from some bounty programs, we all know how zendesk got compromised :-(<p>as per me there should be some beginning to make atleast world's top 10,000 site hack proof ? what you guys have to say here...
Yahoo really need to pull up their socks. They have already faced 4 major security breaches since last year. The one before this was in 2013 March end.<p>Somebody is not doing their job right.
I think that when you find a bug, you are obliged to all the users using the service to report it, really arrogant not to report any more bugs and wait until the wrong dude finds it...
I agree that Yahoo should allocate funds for vulnerability testing!<p>I've gotten in trouble for finding loopholes in some reputable companies' setups, HAD I KNOWN that vulnerability rewards existed (I only found out recently)...my hat would've never been black. My ignorance is laughable, because I've never really been in the hacker scene...just look at my handle (quacker). BTW: time to start emailing companies :)<p>Title Suggestion: Yahoo - pay hackers for errors