Yahoo, please start with a Vulnerability Reward Program

Yahoo Japan suspects up to 22 million user IDs may have been leaked; does not include passwords #breaking — Reuters Tech (@ReutersTech) May 17, 2013 This wouldn't happen if Yahoo had a Vulnerability Reward Program like Google, Facebook, Mozilla, Paypal, Etsy, etc (list of reward programs @bugcrowd). Last year I discovered

XSS bei Google - insgesamt $4600 für Schulen in Afrika

English version Vor zwei Jahren startete Google sein Vulnerability Reward Program und bezahlt seitdem Findern sicherheitsrelevanter Fehler in seinen Web-Anwendungen Belohnungen. In Summe wurden bisher $704.909,50 (Stand Dez. 2012) ausbezahlt. Obwohl Google bei Spenden den eigentlichen Reward verdoppelt, wurden bisher lediglich $25.825 (Quelle S.42) an gemeinnützige

News about Google's Vulnerability Reward Program

Recently Adam Mein spoke at AppSec USA 2012 and Kevin Stadmeyer at SysScan 360 in Beijing about Google's experience with the Web Vulnerability Reward Program. Both are Security Program Manager at Google. * 31 October 2011 - Bug Bounty Panel with Adam Mein at OWASP AppSec 2012 (Video, Transcript) * 13 December

Google's "0x0A List"

I'm very excited, because the Google Security Team has launched new Application Security pages, including a new Hall of Fame called 0x0A list. Now all related security informations are bundled to a central page. The table below lists the top 10 superstar perform,er since Google launched the vulnerability reward

Cross-Site-Scripting in Google Mail

In the last months I found several XSS vulnerabilities in Google's Gmail. All bugs are now fixed in a very short time. Currently Gmail has around 350 Mio. users and it's clear that Google taking a lot of efforts to protect their users. * Safebrowsing * Google's Security Tools * 2-Step-Verification * Vulnerability Reward

Ethiopia gets a new school - thanks to a XSS in Google+

Update 04/29/12: This blog post leads to a persistent XSS bug within InformationWeek.com  (screenshot), because Charlie Miller has tweeted about it. :-)   Update 05/02/12: InformationWeek has fixed the issue. I contribute to the Google Vulnerability Reward Program since November 2010 now and I found a