Best solution, don't report the bugs. Use the bugs to get your money.. and publish them afterwards :D
On 29.05.13 16:04, James Condron wrote: > Hrm, > > I read it that the issue was still the age but that the previous disclosure > was another reason they had found. Its sneaky and poor but I didn't read it > as a change in reason; just an additional thing they found. It may even be > true. > > The fact is they handled this poorly but whether they're lying about another > person finding it or not had they been cleverly dishonest they would have > gone with that in the first place. > > They ought really pay, though. > > On 29 May 2013, at 14:51, Jeffrey Walton <[email protected]> wrote: > >> Hi James, >> >>> I guess the email from ebay sorta makes it all moot anyway. >> Its interesting how the reason code changed. On May 24 the reason was >> Kugler was too young; and then on May 29 the reason was the flaw was >> previously reported. >> >> It sounds like PayPal is lying to bring this to an end; and they've >> lost more credibility. >> >> Jeff >> >> On Wed, May 29, 2013 at 9:22 AM, James Condron >> <[email protected]> wrote: >>> Ah, but then don't forget that in a contract (which this most certainly is >>> not- but the parallels are there) ambiguity benefits the party which didn't >>> draft the document. >>> >>> If its reasonable to infer a payment, and reasonable to fail to infer an >>> age range, I think its reasonable to get paid for it. >>> >>> I guess the email from ebay sorta makes it all moot anyway. >>> >>> On 29 May 2013, at 13:33, Julius Kivimäki <[email protected]> wrote: >>> >>>> Well, they don't exactly state that they're going to pay you either. >>>> >>>> >>>> 2013/5/29 Źmicier Januszkiewicz <[email protected]> >>>> >>>>> Hmm, interesting. >>>>> >>>>> For some reason I fail to find the mentioned "age requirements" at the >>>>> official bug bounty page located at >>>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues >>>>> Am I looking in the wrong direction? Can someone please point to where >>>>> this is written? >>>>> >>>>> With kind regards, >>>>> Z. >>>>> >>>>> >>>>> 2013/5/29 Robert Kugler <[email protected]> >>>>> >>>>>> >>>>>> >>>>>> 2013/5/29 Jeffrey Walton <[email protected]> >>>>>> >>>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >>>>>>> <[email protected]> wrote: >>>>>>>> Hello all! >>>>>>>> >>>>>>>> I'm Robert Kugler a 17 years old German student who's interested in >>>>>>> securing >>>>>>>> computer systems. >>>>>>>> >>>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site >>>>>>>> Scripting vulnerability! >>>>>>>> PayPal Inc. is running a bug bounty program for professional security >>>>>>>> researchers. >>>>>>>> >>>>>>>> ... >>>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment >>>>>>>> because of being 17 years old... >>>>>>>> >>>>>>>> ... >>>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but >>>>>>> it’s not >>>>>>>> the best idea when you're interested in motivated security >>>>>>> researchers... >>>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for >>>>>>> the bugs you discovered with their products. >>>>>>> >>>>>>> PCWorld and MSN picked up the story: >>>>>>> >>>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >>>>>>> and >>>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >>>>>>> . >>>>>>> It is now news worthy to Wikipedia, where it will live forever under >>>>>>> Criticisms (unfortunately, it appears PayPal does a lot of >>>>>>> questionable things so its just one of a long list). >>>>>>> >>>>>>> Jeff >>>>>>> >>>>>> Today I received an email from PayPal Site Security: >>>>>> >>>>>> "Hi Robert, >>>>>> >>>>>> We appreciate your research efforts and we are sorry that our >>>>>> age requirements restrict you from participating in our Bug Bounty >>>>>> Program. >>>>>> With regards to your specific bug submission, we should have also >>>>>> mentioned >>>>>> that the vulnerability you submitted was previously reported by another >>>>>> researcher and we are already actively fixing the issue. We hope that you >>>>>> understand that bugs that have previously been reported to us are not >>>>>> eligible for payment as we must honor the original researcher that >>>>>> provided >>>>>> the vulnerability. >>>>>> >>>>>> I would also mention that in general, PayPal has been a consistent >>>>>> supporter of what is known as “responsible disclosure”. That is, >>>>>> ensuring >>>>>> that a company has a reasonable amount of time to fix a bug from >>>>>> notification to public disclosure. This allows the company to fix the >>>>>> bug, >>>>>> so that criminals cannot use that knowledge to exploit it, but still >>>>>> gives >>>>>> the researchers the ability to draw attention to their skills and >>>>>> experience. When researchers go down the “full disclosure” path, it then >>>>>> puts us in a race with criminals who may successfully use the >>>>>> vulnerability >>>>>> you found to victimize our customers. We do not support the full >>>>>> disclosure methodology, precisely because it puts real people at >>>>>> unnecessary risk. We hope you keep that in mind when doing future >>>>>> research. >>>>>> >>>>>> We acknowledge that PayPal can do more to recognize younger security >>>>>> researchers around the world. As a first step, we would like you to be >>>>>> the >>>>>> first security researcher in the history of our program to receive an >>>>>> official "Letter of Recognition" from our Chief Information Security >>>>>> Officer Michael Barrett (attached, will follow up with a signed copy >>>>>> tomorrow). We truly appreciate your contribution to helping keep PayPal >>>>>> secure for our customers and we will continue to explore other ways that >>>>>> we >>>>>> can we provide alternate recognition for younger researchers. >>>>>> >>>>>> We'd welcome the chance to explain this all to you first hand over the >>>>>> phone, please email us at this address with a number and good time to >>>>>> reach >>>>>> you and we’d be happy to follow-up. >>>>>> >>>>>> Thank you, >>>>>> PayPal Site Security" >>>>>> >>>>>> It's still curious that they only mentioned the first researcher who >>>>>> previously found the bug after all the media attention...Nevertheless I >>>>>> appreciate their intentions to acknowledge also younger security >>>>>> researchers, it's a step in the right direction!! >>>>>> >>>>>> Best regards, >>>>>> >>>>>> Robert Kugler > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- SysEleven GmbH Umspannwerk - Aufgang C Ohlauer Straße 43 10999 Berlin Tel +49 30 233 2012 0 Fax +49 30 616 755 50 http://www.syseleven.de http://www.facebook.com/SysEleven Firmensitz: Berlin Registergericht: AG Berlin Charlottenburg, HRB 108571 B Geschäftsführer: Marc Korthaus, Thomas Lohner _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
