Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PayPal.com XSS Vulnerability

From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 29 May 2013 09:51:10 -0400
Hi James,


I guess the email from ebay sorta makes it all moot anyway.

Its interesting how the reason code changed. On May 24 the reason was
Kugler was too young; and then on May 29 the reason was the flaw was
previously reported.

It sounds like PayPal is lying to bring this to an end; and they've
lost more credibility.

Jeff

On Wed, May 29, 2013 at 9:22 AM, James Condron
<james () zero-internet org uk> wrote:

Ah, but then don't forget that in a contract (which this most certainly is not- but the parallels are there) 
ambiguity benefits the party which didn't draft the document.

If its reasonable to infer a payment, and reasonable to fail to infer an age range, I think its reasonable to get 
paid for it.

I guess the email from ebay sorta makes it all moot anyway.

On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivimaki () gmail com> wrote:


Well, they don't exactly state that they're going to pay you either.


2013/5/29 Źmicier Januszkiewicz <gauri () tut by>


Hmm, interesting.

For some reason I fail to find the mentioned "age requirements" at the
official bug bounty page located at
https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
Am I looking in the wrong direction? Can someone please point to where
this is written?

With kind regards,
Z.


2013/5/29 Robert Kugler <robert.kugler10 () gmail com>





2013/5/29 Jeffrey Walton <noloader () gmail com>


On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
<robert.kugler10 () gmail com> wrote:

Hello all!

I'm Robert Kugler a 17 years old German student who's interested in

securing

computer systems.

I would like to warn you that PayPal.com is vulnerable to a Cross-Site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.

...
Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old...

...
I don’t want to allege PayPal a kind of bug bounty cost saving, but

it’s not

the best idea when you're interested in motivated security

researchers...
Fortunately Microsoft and Firefox took a more reasonable positions for
the bugs you discovered with their products.

PCWorld and MSN picked up the story:

http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
and
http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
.
It is now news worthy to Wikipedia, where it will live forever under
Criticisms (unfortunately, it appears PayPal does a lot of
questionable things so its just one of a long list).

Jeff



Today I received an email from PayPal Site Security:

"Hi Robert,

We appreciate your research efforts and we are sorry that our
age requirements restrict you from participating in our Bug Bounty Program.
With regards to your specific bug submission, we should have also mentioned
that the vulnerability you submitted was previously reported by another
researcher and we are already actively fixing the issue. We hope that you
understand that bugs that have previously been reported to us are not
eligible for payment as we must honor the original researcher that provided
the vulnerability.

I would also mention that in general, PayPal has been a consistent
supporter of what is known as “responsible disclosure”.  That is, ensuring
that a company has a reasonable amount of time to fix a bug from
notification to public disclosure.  This allows the company to fix the bug,
so that criminals cannot use that knowledge to exploit it, but still gives
the researchers the ability to draw attention to their skills and
experience.  When researchers go down the “full disclosure” path, it then
puts us in a race with criminals who may successfully use the vulnerability
you found to victimize our customers.  We do not support the full
disclosure methodology, precisely because it puts real people at
unnecessary risk. We hope you keep that in mind when doing future research.

We acknowledge that PayPal can do more to recognize younger security
researchers around the world. As a first step, we would like you to be the
first security researcher in the history of our program to receive an
official "Letter of Recognition" from our Chief Information Security
Officer Michael Barrett (attached, will follow up with a signed copy
tomorrow). We truly appreciate your contribution to helping keep PayPal
secure for our customers and we will continue to explore other ways that we
can we provide alternate recognition for younger researchers.

We'd welcome the chance to explain this all to you first hand over the
phone, please email us at this address with a number and good time to reach
you and we’d be happy to follow-up.

Thank you,
PayPal Site Security"

It's still curious that they only mentioned the first researcher who
previously found the bug after all the media attention...Nevertheless I
appreciate their intentions to acknowledge also younger security
researchers, it's a step in the right direction!!

Best regards,

Robert Kugler


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: