Hi James, > I guess the email from ebay sorta makes it all moot anyway. Its interesting how the reason code changed. On May 24 the reason was Kugler was too young; and then on May 29 the reason was the flaw was previously reported.
It sounds like PayPal is lying to bring this to an end; and they've lost more credibility. Jeff On Wed, May 29, 2013 at 9:22 AM, James Condron <ja...@zero-internet.org.uk> wrote: > Ah, but then don't forget that in a contract (which this most certainly is > not- but the parallels are there) ambiguity benefits the party which didn't > draft the document. > > If its reasonable to infer a payment, and reasonable to fail to infer an age > range, I think its reasonable to get paid for it. > > I guess the email from ebay sorta makes it all moot anyway. > > On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivim...@gmail.com> wrote: > >> Well, they don't exactly state that they're going to pay you either. >> >> >> 2013/5/29 Źmicier Januszkiewicz <ga...@tut.by> >> >>> Hmm, interesting. >>> >>> For some reason I fail to find the mentioned "age requirements" at the >>> official bug bounty page located at >>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues >>> Am I looking in the wrong direction? Can someone please point to where >>> this is written? >>> >>> With kind regards, >>> Z. >>> >>> >>> 2013/5/29 Robert Kugler <robert.kugle...@gmail.com> >>> >>>> >>>> >>>> >>>> 2013/5/29 Jeffrey Walton <noloa...@gmail.com> >>>> >>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >>>>> <robert.kugle...@gmail.com> wrote: >>>>>> Hello all! >>>>>> >>>>>> I'm Robert Kugler a 17 years old German student who's interested in >>>>> securing >>>>>> computer systems. >>>>>> >>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site >>>>>> Scripting vulnerability! >>>>>> PayPal Inc. is running a bug bounty program for professional security >>>>>> researchers. >>>>>> >>>>>> ... >>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment >>>>>> because of being 17 years old... >>>>>> >>>>>> ... >>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but >>>>> it’s not >>>>>> the best idea when you're interested in motivated security >>>>> researchers... >>>>> Fortunately Microsoft and Firefox took a more reasonable positions for >>>>> the bugs you discovered with their products. >>>>> >>>>> PCWorld and MSN picked up the story: >>>>> >>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >>>>> and >>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >>>>> . >>>>> It is now news worthy to Wikipedia, where it will live forever under >>>>> Criticisms (unfortunately, it appears PayPal does a lot of >>>>> questionable things so its just one of a long list). >>>>> >>>>> Jeff >>>>> >>>> >>>> Today I received an email from PayPal Site Security: >>>> >>>> "Hi Robert, >>>> >>>> We appreciate your research efforts and we are sorry that our >>>> age requirements restrict you from participating in our Bug Bounty Program. >>>> With regards to your specific bug submission, we should have also mentioned >>>> that the vulnerability you submitted was previously reported by another >>>> researcher and we are already actively fixing the issue. We hope that you >>>> understand that bugs that have previously been reported to us are not >>>> eligible for payment as we must honor the original researcher that provided >>>> the vulnerability. >>>> >>>> I would also mention that in general, PayPal has been a consistent >>>> supporter of what is known as “responsible disclosure”. That is, ensuring >>>> that a company has a reasonable amount of time to fix a bug from >>>> notification to public disclosure. This allows the company to fix the bug, >>>> so that criminals cannot use that knowledge to exploit it, but still gives >>>> the researchers the ability to draw attention to their skills and >>>> experience. When researchers go down the “full disclosure” path, it then >>>> puts us in a race with criminals who may successfully use the vulnerability >>>> you found to victimize our customers. We do not support the full >>>> disclosure methodology, precisely because it puts real people at >>>> unnecessary risk. We hope you keep that in mind when doing future research. >>>> >>>> We acknowledge that PayPal can do more to recognize younger security >>>> researchers around the world. As a first step, we would like you to be the >>>> first security researcher in the history of our program to receive an >>>> official "Letter of Recognition" from our Chief Information Security >>>> Officer Michael Barrett (attached, will follow up with a signed copy >>>> tomorrow). We truly appreciate your contribution to helping keep PayPal >>>> secure for our customers and we will continue to explore other ways that we >>>> can we provide alternate recognition for younger researchers. >>>> >>>> We'd welcome the chance to explain this all to you first hand over the >>>> phone, please email us at this address with a number and good time to reach >>>> you and we’d be happy to follow-up. >>>> >>>> Thank you, >>>> PayPal Site Security" >>>> >>>> It's still curious that they only mentioned the first researcher who >>>> previously found the bug after all the media attention...Nevertheless I >>>> appreciate their intentions to acknowledge also younger security >>>> researchers, it's a step in the right direction!! >>>> >>>> Best regards, >>>> >>>> Robert Kugler _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/