Full Disclosure mailing list archives
Re: PayPal.com XSS Vulnerability
From: Robert Kugler <robert.kugler10 () gmail com>
Date: Wed, 29 May 2013 13:42:32 +0200
2013/5/29 Jeffrey Walton <noloader () gmail com>
On Fri, May 24, 2013 at 12:38 PM, Robert Kugler <robert.kugler10 () gmail com> wrote:Hello all! I'm Robert Kugler a 17 years old German student who's interested insecuringcomputer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. ... Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... ... I don’t want to allege PayPal a kind of bug bounty cost saving, but it’snotthe best idea when you're interested in motivated security researchers...Fortunately Microsoft and Firefox took a more reasonable positions for the bugs you discovered with their products. PCWorld and MSN picked up the story: http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html and http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code . It is now news worthy to Wikipedia, where it will live forever under Criticisms (unfortunately, it appears PayPal does a lot of questionable things so its just one of a long list). Jeff
Today I received an email from PayPal Site Security: "Hi Robert, We appreciate your research efforts and we are sorry that our age requirements restrict you from participating in our Bug Bounty Program. With regards to your specific bug submission, we should have also mentioned that the vulnerability you submitted was previously reported by another researcher and we are already actively fixing the issue. We hope that you understand that bugs that have previously been reported to us are not eligible for payment as we must honor the original researcher that provided the vulnerability. I would also mention that in general, PayPal has been a consistent supporter of what is known as “responsible disclosure”. That is, ensuring that a company has a reasonable amount of time to fix a bug from notification to public disclosure. This allows the company to fix the bug, so that criminals cannot use that knowledge to exploit it, but still gives the researchers the ability to draw attention to their skills and experience. When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers. We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research. We acknowledge that PayPal can do more to recognize younger security researchers around the world. As a first step, we would like you to be the first security researcher in the history of our program to receive an official "Letter of Recognition" from our Chief Information Security Officer Michael Barrett (attached, will follow up with a signed copy tomorrow). We truly appreciate your contribution to helping keep PayPal secure for our customers and we will continue to explore other ways that we can we provide alternate recognition for younger researchers. We'd welcome the chance to explain this all to you first hand over the phone, please email us at this address with a number and good time to reach you and we’d be happy to follow-up. Thank you, PayPal Site Security" It's still curious that they only mentioned the first researcher who previously found the bug after all the media attention...Nevertheless I appreciate their intentions to acknowledge also younger security researchers, it's a step in the right direction!! Best regards, Robert Kugler
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: PayPal.com XSS Vulnerability, (continued)
- Re: PayPal.com XSS Vulnerability Dan Kaminsky (May 28)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 28)
- Re: PayPal.com XSS Vulnerability Daniël W . Crompton (May 28)
- Re: PayPal.com XSS Vulnerability Zachary Cutlip (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 28)
- Re: PayPal.com XSS Vulnerability Terrence (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- Re: PayPal.com XSS Vulnerability Dan Kaminsky (May 28)
- Re: PayPal.com XSS Vulnerability Źmicier Januszkiewicz (May 29)
- Re: PayPal.com XSS Vulnerability Źmicier Januszkiewicz (May 29)
- Re: PayPal.com XSS Vulnerability Julius Kivimäki (May 29)
- Re: PayPal.com XSS Vulnerability James Condron (May 29)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 29)
- Re: PayPal.com XSS Vulnerability James Condron (May 29)
- Re: PayPal.com XSS Vulnerability Andre Helwig (May 29)
- Re: PayPal.com XSS Vulnerability Vulnerability Lab (May 29)
- Re: PayPal.com XSS Vulnerability Daniel Preussker (May 30)