Hmm, interesting. For some reason I fail to find the mentioned "age requirements" at the official bug bounty page located at https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues Am I looking in the wrong direction? Can someone please point to where this is written?
With kind regards, Z. 2013/5/29 Robert Kugler <[email protected]> > > > > 2013/5/29 Jeffrey Walton <[email protected]> > >> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >> <[email protected]> wrote: >> > Hello all! >> > >> > I'm Robert Kugler a 17 years old German student who's interested in >> securing >> > computer systems. >> > >> > I would like to warn you that PayPal.com is vulnerable to a Cross-Site >> > Scripting vulnerability! >> > PayPal Inc. is running a bug bounty program for professional security >> > researchers. >> > >> > ... >> > Unfortunately PayPal disqualified me from receiving any bounty payment >> > because of being 17 years old... >> > >> > ... >> > I don’t want to allege PayPal a kind of bug bounty cost saving, but >> it’s not >> > the best idea when you're interested in motivated security >> researchers... >> Fortunately Microsoft and Firefox took a more reasonable positions for >> the bugs you discovered with their products. >> >> PCWorld and MSN picked up the story: >> >> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >> and >> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >> . >> It is now news worthy to Wikipedia, where it will live forever under >> Criticisms (unfortunately, it appears PayPal does a lot of >> questionable things so its just one of a long list). >> >> Jeff >> > > Today I received an email from PayPal Site Security: > > "Hi Robert, > > We appreciate your research efforts and we are sorry that our > age requirements restrict you from participating in our Bug Bounty Program. > With regards to your specific bug submission, we should have also mentioned > that the vulnerability you submitted was previously reported by another > researcher and we are already actively fixing the issue. We hope that you > understand that bugs that have previously been reported to us are not > eligible for payment as we must honor the original researcher that provided > the vulnerability. > > I would also mention that in general, PayPal has been a consistent > supporter of what is known as “responsible disclosure”. That is, ensuring > that a company has a reasonable amount of time to fix a bug from > notification to public disclosure. This allows the company to fix the bug, > so that criminals cannot use that knowledge to exploit it, but still gives > the researchers the ability to draw attention to their skills and > experience. When researchers go down the “full disclosure” path, it then > puts us in a race with criminals who may successfully use the vulnerability > you found to victimize our customers. We do not support the full > disclosure methodology, precisely because it puts real people at > unnecessary risk. We hope you keep that in mind when doing future research. > > We acknowledge that PayPal can do more to recognize younger security > researchers around the world. As a first step, we would like you to be the > first security researcher in the history of our program to receive an > official "Letter of Recognition" from our Chief Information Security > Officer Michael Barrett (attached, will follow up with a signed copy > tomorrow). We truly appreciate your contribution to helping keep PayPal > secure for our customers and we will continue to explore other ways that we > can we provide alternate recognition for younger researchers. > > We'd welcome the chance to explain this all to you first hand over the > phone, please email us at this address with a number and good time to reach > you and we’d be happy to follow-up. > > Thank you, > PayPal Site Security" > > It's still curious that they only mentioned the first researcher who > previously found the bug after all the media attention...Nevertheless I > appreciate their intentions to acknowledge also younger security > researchers, it's a step in the right direction!! > > Best regards, > > Robert Kugler > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
