This post was originally published on Mashable.

If you are a skilled security researcher and you uncover and report a Microsoft bug or vulnerability, you might get up to US$100,000. With Facebook, you might get US$12,500, and with Google, the reward could be US$20,000.

In Yahoo's case, you get a $25 voucher that can only be used to buy company swag, such as a T-shirt, a few light-up ice cubes or some "poopy bag dispensers" - though some of these don't even sport the new Yahoo logo.

That's the paltry reward that Yahoo offered to a Swiss security researcher who uncovered and responsibly reported three serious vulnerabilities on September 23.

"Initially I thought it was a joke," said Ilia Kolochenko, chief executive of security firm High Tech Bridge.

If exploited by malicious hackers, the bugs could potentially allow them to take over any Yahoo email account by tricking a logged-in user into clicking a specially crafted link, according to a blog post published by High Tech Bridge, the security firm who found the bugs.

In recent years, so-called bug bounty programs have become very popular among Silicon Valley companies. In essence, these programs aim to reward responsible security researchers or hackers who find bugs in products or software and report them to the affected companies, which in turn reward them. Google, Facebook and Microsoft all have such programs. Yahoo doesn't, although it encourages researchers to report vulnerabilities.

"If you are a member of the security community and need to report a technical vulnerability, contact: security@yahoo-inc.com," the Yahoo security policies state.

With that in mind, Kolochenko set out to find out more about how exactly Yahoo! deals with these kinds of reports.

"The goal of the experiment was very simple: to find out how quickly security vulnerabilities on well-known websites such as Yahoo! can be found and to see how the company reacts to a vulnerability notification," the firm wrote in its blog post.

Kolochenko started working on this experiment on September 18, and, by accident, he quickly found one bug and reported it. But the Yahoo! security team responded that the vulnerability had already been flagged.

On September 22, while stuck in an airport lounge for six hours, he found three serious cross-site scripting (XSS) vulnerabilities affecting the domains ecom.yahoo.com and adserver.yahoo.com. These bugs could have been used to hack into Yahoo! email accounts, according to Kolochenko.

When he reported them, Yahoo! acknowledged two of the three bugs and thanked him, offering a US$25 (or US$12.50 per bug) discount voucher to be used on the Yahoo Company Store.

While Kolochenko said he "was not doing the research for money", he found the amounts "quite surprising".

"I didn't complain," he said. "[I] just asked them if they have an 'Honour Roll' and if they really pay these amounts."

Facebook, by comparison, recently paid US$12,500 to a hacker who found a bug that allowed him to delete any user's pictures. Though the social network also recently failed to reward another hacker who broke into Mark Zuckerberg's Timeline.

Kolochenko decided to "hold off on further research", and needless to say, he was ultimately disappointed.

"Yahoo! should probably revise their relations with security researchers," Kolochenko was quoted as saying in the blog post. "Paying several dollars per vulnerability is a bad joke and won't motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price."

Security expert and blogger Graham Cluley also criticised Yahoo in a blog post.

"Of course, money (and t-shirts) shouldn't be the only motivation for reporting a security vulnerability," he wrote. "But such a risible reward is unlikely to win Yahoo! any friends and could - if anything - make it less likely that the site will gain the assistance of white-hats in future."

Yahoo! did not respond to requests for comment, but High Tech Bridge said the bugs were all patched by Yahoo! when the security firm disclosed the incident in its blog post.

Asked if he would redeem the voucher - which could he could use to buy a Yahoo! volleyball, a purple rubber duck, or, perhaps Yahoo's gourmet jelly beans - Kolochenko simply responded: "No."

Mashable is the largest independent news source covering digital culture, social media and technology.