Full Disclosure mailing list archives
Re: PayPal.com XSS Vulnerability
From: Julius Kivimäki <julius.kivimaki () gmail com>
Date: Wed, 29 May 2013 15:33:18 +0300
Well, they don't exactly state that they're going to pay you either. 2013/5/29 Źmicier Januszkiewicz <gauri () tut by>
Hmm, interesting. For some reason I fail to find the mentioned "age requirements" at the official bug bounty page located at https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues Am I looking in the wrong direction? Can someone please point to where this is written? With kind regards, Z. 2013/5/29 Robert Kugler <robert.kugler10 () gmail com>2013/5/29 Jeffrey Walton <noloader () gmail com>On Fri, May 24, 2013 at 12:38 PM, Robert Kugler <robert.kugler10 () gmail com> wrote:Hello all! I'm Robert Kugler a 17 years old German student who's interested insecuringcomputer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. ... Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... ... I don’t want to allege PayPal a kind of bug bounty cost saving, butit’s notthe best idea when you're interested in motivated securityresearchers... Fortunately Microsoft and Firefox took a more reasonable positions for the bugs you discovered with their products. PCWorld and MSN picked up the story: http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html and http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code . It is now news worthy to Wikipedia, where it will live forever under Criticisms (unfortunately, it appears PayPal does a lot of questionable things so its just one of a long list). JeffToday I received an email from PayPal Site Security: "Hi Robert, We appreciate your research efforts and we are sorry that our age requirements restrict you from participating in our Bug Bounty Program. With regards to your specific bug submission, we should have also mentioned that the vulnerability you submitted was previously reported by another researcher and we are already actively fixing the issue. We hope that you understand that bugs that have previously been reported to us are not eligible for payment as we must honor the original researcher that provided the vulnerability. I would also mention that in general, PayPal has been a consistent supporter of what is known as “responsible disclosure”. That is, ensuring that a company has a reasonable amount of time to fix a bug from notification to public disclosure. This allows the company to fix the bug, so that criminals cannot use that knowledge to exploit it, but still gives the researchers the ability to draw attention to their skills and experience. When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers. We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research. We acknowledge that PayPal can do more to recognize younger security researchers around the world. As a first step, we would like you to be the first security researcher in the history of our program to receive an official "Letter of Recognition" from our Chief Information Security Officer Michael Barrett (attached, will follow up with a signed copy tomorrow). We truly appreciate your contribution to helping keep PayPal secure for our customers and we will continue to explore other ways that we can we provide alternate recognition for younger researchers. We'd welcome the chance to explain this all to you first hand over the phone, please email us at this address with a number and good time to reach you and we’d be happy to follow-up. Thank you, PayPal Site Security" It's still curious that they only mentioned the first researcher who previously found the bug after all the media attention...Nevertheless I appreciate their intentions to acknowledge also younger security researchers, it's a step in the right direction!! Best regards, Robert Kugler _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: PayPal.com XSS Vulnerability, (continued)
- Re: PayPal.com XSS Vulnerability Zachary Cutlip (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 28)
- Re: PayPal.com XSS Vulnerability Terrence (May 28)
- Re: PayPal.com XSS Vulnerability Kirils Solovjovs (May 28)
- Re: PayPal.com XSS Vulnerability Zachary Cutlip (May 28)
- Re: PayPal.com XSS Vulnerability Źmicier Januszkiewicz (May 29)
- Re: PayPal.com XSS Vulnerability Źmicier Januszkiewicz (May 29)
- Re: PayPal.com XSS Vulnerability Julius Kivimäki (May 29)
- Re: PayPal.com XSS Vulnerability James Condron (May 29)
- Re: PayPal.com XSS Vulnerability Jeffrey Walton (May 29)
- Re: PayPal.com XSS Vulnerability James Condron (May 29)
- Re: PayPal.com XSS Vulnerability Andre Helwig (May 29)
- Re: PayPal.com XSS Vulnerability Vulnerability Lab (May 29)
- Re: PayPal.com XSS Vulnerability Daniel Preussker (May 30)