It may also be that in many countries, including the US where PayPal is based, it can be difficult to enter into a legally binding contract with a minor. In many cases (with exceptions) a minor can void or exit a contract as they see fit, so you enter into a contract with a minor at your own peril. Sometimes a way around this is for a parent to enter into the contract on behalf of, or in addition to, the minor.
Zach On May 28, 2013, at 8:26 AM, Dan Kaminsky <[email protected]> wrote: > Heya Robert, > > So there's this pile of law around the world around work and kids; it's a > rather recent development that <18 year olds can find problems that > multibillion dollar interests are willing to pay bounties for. The laws are > all trying to protect you from being made to pick berries or sew t-shirts > instead of going to class and playing outside. > > Law may be code, but it compiles VERY slowly. > > In general, you can talk to people and things'll work out. Lawyerspeak > may look daunting, but seriously, send some friendly emails, there's real > people on the other side of those security@ addresses and they can usually > figure out some way around pesky things like birthdays. > > --Dan > > > > On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <[email protected]> > wrote: > Hello all! > > I'm Robert Kugler a 17 years old German student who's interested in securing > computer systems. > > I would like to warn you that PayPal.com is vulnerable to a Cross-Site > Scripting vulnerability! > PayPal Inc. is running a bug bounty program for professional security > researchers. > > https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues > > XSS vulnerabilities are in scope. So I tried to take part and sent my find to > PayPal Site Security. > > The vulnerability is located in the search function and can be triggered with > the following javascript code: > > ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; > alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- > ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> > > https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search > > Screenshot: http://picturepush.com/public/13144090 > > Unfortunately PayPal disqualified me from receiving any bounty payment > because of being 17 years old... > > PayPal Site Security: > > "To be eligible for the Bug Bounty Program, you must not: > ... Be less than 18 years of age.If PayPal discovers that a researcher does > not meet any of the criteria above, PayPal will remove that researcher from > the Bug Bounty Program and disqualify them from receiving any bounty > payments." > > I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not > the best idea when you're interested in motivated security researchers... > > Best regards, > > Robert Kugler > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
