If Yahoo! had just sent the researchers t-shirts directly with thank-you notes, perhaps they still would have been disappointed with the reward but I doubt they (or we) would be as offended.<p>Funny how actual cash evokes different reactions.
I'm sure the intention was something like, "Hey, we should send them a thank you package. T-shirts? But wait, we don't know their size. Oh, hang on, I have an idea!"<p>And then they end up looking like jerks.
What's XSS an usually worth? I'm guessing it varies by product and company but, I would venture to say about $500-1000.<p>Really puts the $12.50 in company store credit into perspective.
Yahoo CEO rename to Katherine Janeway. Fuck up seriously in the first episode, and now she's going to have to spend the rest of her time cleaning up her mess.
I don't think reporting security bugs is a great way to become rich. If you <i>expect</i> to be compensated you should convince Yahoo to hire you.<p>Is this worse than the many companies that have never given anything to any reporter?
Times have changed. Back in the day all we hoped was not getting sued for reporting a bug and now we are actually defaming companies who are not giving away good enough bounties.<p>It's great to see that we came to this point.
Personally, I'd <i>prefer</i> a little "Thank You" on some Yahoo site.<p>$12.50 seems insulting. "Oh, your time is worth $12.50 to us, but thanks for disclosing a huge XSS issue."
I wonder if this is why I've been getting so much spam from Yahoo accounts (and actually sent from Yahoo's servers, from legitimate accounts).