Well, they don't exactly state that they're going to pay you either.
2013/5/29 Źmicier Januszkiewicz <ga...@tut.by> > Hmm, interesting. > > For some reason I fail to find the mentioned "age requirements" at the > official bug bounty page located at > https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues > Am I looking in the wrong direction? Can someone please point to where > this is written? > > With kind regards, > Z. > > > 2013/5/29 Robert Kugler <robert.kugle...@gmail.com> > >> >> >> >> 2013/5/29 Jeffrey Walton <noloa...@gmail.com> >> >>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >>> <robert.kugle...@gmail.com> wrote: >>> > Hello all! >>> > >>> > I'm Robert Kugler a 17 years old German student who's interested in >>> securing >>> > computer systems. >>> > >>> > I would like to warn you that PayPal.com is vulnerable to a Cross-Site >>> > Scripting vulnerability! >>> > PayPal Inc. is running a bug bounty program for professional security >>> > researchers. >>> > >>> > ... >>> > Unfortunately PayPal disqualified me from receiving any bounty payment >>> > because of being 17 years old... >>> > >>> > ... >>> > I don’t want to allege PayPal a kind of bug bounty cost saving, but >>> it’s not >>> > the best idea when you're interested in motivated security >>> researchers... >>> Fortunately Microsoft and Firefox took a more reasonable positions for >>> the bugs you discovered with their products. >>> >>> PCWorld and MSN picked up the story: >>> >>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >>> and >>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >>> . >>> It is now news worthy to Wikipedia, where it will live forever under >>> Criticisms (unfortunately, it appears PayPal does a lot of >>> questionable things so its just one of a long list). >>> >>> Jeff >>> >> >> Today I received an email from PayPal Site Security: >> >> "Hi Robert, >> >> We appreciate your research efforts and we are sorry that our >> age requirements restrict you from participating in our Bug Bounty Program. >> With regards to your specific bug submission, we should have also mentioned >> that the vulnerability you submitted was previously reported by another >> researcher and we are already actively fixing the issue. We hope that you >> understand that bugs that have previously been reported to us are not >> eligible for payment as we must honor the original researcher that provided >> the vulnerability. >> >> I would also mention that in general, PayPal has been a consistent >> supporter of what is known as “responsible disclosure”. That is, ensuring >> that a company has a reasonable amount of time to fix a bug from >> notification to public disclosure. This allows the company to fix the bug, >> so that criminals cannot use that knowledge to exploit it, but still gives >> the researchers the ability to draw attention to their skills and >> experience. When researchers go down the “full disclosure” path, it then >> puts us in a race with criminals who may successfully use the vulnerability >> you found to victimize our customers. We do not support the full >> disclosure methodology, precisely because it puts real people at >> unnecessary risk. We hope you keep that in mind when doing future research. >> >> We acknowledge that PayPal can do more to recognize younger security >> researchers around the world. As a first step, we would like you to be the >> first security researcher in the history of our program to receive an >> official "Letter of Recognition" from our Chief Information Security >> Officer Michael Barrett (attached, will follow up with a signed copy >> tomorrow). We truly appreciate your contribution to helping keep PayPal >> secure for our customers and we will continue to explore other ways that we >> can we provide alternate recognition for younger researchers. >> >> We'd welcome the chance to explain this all to you first hand over the >> phone, please email us at this address with a number and good time to reach >> you and we’d be happy to follow-up. >> >> Thank you, >> PayPal Site Security" >> >> It's still curious that they only mentioned the first researcher who >> previously found the bug after all the media attention...Nevertheless I >> appreciate their intentions to acknowledge also younger security >> researchers, it's a step in the right direction!! >> >> Best regards, >> >> Robert Kugler >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/