Ah, but then don't forget that in a contract (which this most certainly is not- but the parallels are there) ambiguity benefits the party which didn't draft the document.
If its reasonable to infer a payment, and reasonable to fail to infer an age range, I think its reasonable to get paid for it. I guess the email from ebay sorta makes it all moot anyway. On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivim...@gmail.com> wrote: > Well, they don't exactly state that they're going to pay you either. > > > 2013/5/29 Źmicier Januszkiewicz <ga...@tut.by> > >> Hmm, interesting. >> >> For some reason I fail to find the mentioned "age requirements" at the >> official bug bounty page located at >> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues >> Am I looking in the wrong direction? Can someone please point to where >> this is written? >> >> With kind regards, >> Z. >> >> >> 2013/5/29 Robert Kugler <robert.kugle...@gmail.com> >> >>> >>> >>> >>> 2013/5/29 Jeffrey Walton <noloa...@gmail.com> >>> >>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >>>> <robert.kugle...@gmail.com> wrote: >>>>> Hello all! >>>>> >>>>> I'm Robert Kugler a 17 years old German student who's interested in >>>> securing >>>>> computer systems. >>>>> >>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site >>>>> Scripting vulnerability! >>>>> PayPal Inc. is running a bug bounty program for professional security >>>>> researchers. >>>>> >>>>> ... >>>>> Unfortunately PayPal disqualified me from receiving any bounty payment >>>>> because of being 17 years old... >>>>> >>>>> ... >>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but >>>> it’s not >>>>> the best idea when you're interested in motivated security >>>> researchers... >>>> Fortunately Microsoft and Firefox took a more reasonable positions for >>>> the bugs you discovered with their products. >>>> >>>> PCWorld and MSN picked up the story: >>>> >>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >>>> and >>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >>>> . >>>> It is now news worthy to Wikipedia, where it will live forever under >>>> Criticisms (unfortunately, it appears PayPal does a lot of >>>> questionable things so its just one of a long list). >>>> >>>> Jeff >>>> >>> >>> Today I received an email from PayPal Site Security: >>> >>> "Hi Robert, >>> >>> We appreciate your research efforts and we are sorry that our >>> age requirements restrict you from participating in our Bug Bounty Program. >>> With regards to your specific bug submission, we should have also mentioned >>> that the vulnerability you submitted was previously reported by another >>> researcher and we are already actively fixing the issue. We hope that you >>> understand that bugs that have previously been reported to us are not >>> eligible for payment as we must honor the original researcher that provided >>> the vulnerability. >>> >>> I would also mention that in general, PayPal has been a consistent >>> supporter of what is known as “responsible disclosure”. That is, ensuring >>> that a company has a reasonable amount of time to fix a bug from >>> notification to public disclosure. This allows the company to fix the bug, >>> so that criminals cannot use that knowledge to exploit it, but still gives >>> the researchers the ability to draw attention to their skills and >>> experience. When researchers go down the “full disclosure” path, it then >>> puts us in a race with criminals who may successfully use the vulnerability >>> you found to victimize our customers. We do not support the full >>> disclosure methodology, precisely because it puts real people at >>> unnecessary risk. We hope you keep that in mind when doing future research. >>> >>> We acknowledge that PayPal can do more to recognize younger security >>> researchers around the world. As a first step, we would like you to be the >>> first security researcher in the history of our program to receive an >>> official "Letter of Recognition" from our Chief Information Security >>> Officer Michael Barrett (attached, will follow up with a signed copy >>> tomorrow). We truly appreciate your contribution to helping keep PayPal >>> secure for our customers and we will continue to explore other ways that we >>> can we provide alternate recognition for younger researchers. >>> >>> We'd welcome the chance to explain this all to you first hand over the >>> phone, please email us at this address with a number and good time to reach >>> you and we’d be happy to follow-up. >>> >>> Thank you, >>> PayPal Site Security" >>> >>> It's still curious that they only mentioned the first researcher who >>> previously found the bug after all the media attention...Nevertheless I >>> appreciate their intentions to acknowledge also younger security >>> researchers, it's a step in the right direction!! >>> >>> Best regards, >>> >>> Robert Kugler >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/