Like a techie Paladin (photo, above), the gun-slinging bounty hunter from the late 1950’s TV western Have Gun, Will Travel, Mark Litchfield doesn’t mind recounting his exploits in the internet’s wild, wild west. For example, he recently helped Yahoo Small Business locate and plug “a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners,” according to Threatpost, the Kaspersky Lab Security News Service
Working on behalf of Yahoo’s “penetration team,” Litchfield dug up several vulnerabilities while testing the company’s applications. He told Threatpost one bug could have allowed him to fully administer any Yahoo store and gain access to customers’ personally identifiable information, including names, email addresses, telephone numbers — an attacker could also rig a web store to let them shop for free, or at a deep discount, he claims.
Fortunately, using Litchfield and other hired “guns,” Yahoo found and addressed the potential security breaches before criminal hackers did.
Chris Rohlf, the head of Yahoo’s penetration testing team, announced late last year that the company would disclose any vulnerabilities that its bug-hunting team digs up within 90 days of discovery. The company has addressed nearly 2,000 externally reported bugs and Litchfield, who was awarded $24,000 for discovering the Yahoo Small Business vulnerabilities, is one of its more prolific bug reporters.
In a speech given a few months ago by Yahoo’s chief information security officer Alex Stamos, the company has paid out $700,000 in bounties.
(Note: As we reported recently, Yahoo Small Business will soon be spun off as a separate company from Yahoo, as part of the company’s plan to return tax-free to shareholders much of the value it gained from the IPO of Alibaba. Its 15% stake in that company was worth around $40 billion.)