PayPal denies teenager reward for finding website bug - a 17-year-old german student contends paypal has denied him a reward for finding a vulnerability in its website.
robert kugler aforesaid he notified paypal of one's vulnerability on could 19. he aforesaid he was informed by email that as a result of he's under 18 years recent, he failed to qualify to its bug bounty program. he is going to flip 18 next march.
|PayPal denies teenager reward for finding website bug - scure your paypal|
paypal, which is certainly owned by auction web site ebay, outlines the terms and conditions to its bug bounty program on its website, other then doesn't seem to firmly possess an age guideline. paypal officers failed to possess an immediate comment.
several corporations inclusive of google and facebook have reward programs. the programs are formed with an intent to to firmly produce an incentive for researchers to firmly privately report problems and permit vendors to firmly unleash fixes before hackers take advantage of flaws.
facebook pays a minimum of $500 for qualifying bugs, whereas google pays from $100 up to firmly $20, 000 looking on the severity of the problem. neither has an age restriction listed upon their internet sites. microsoft doesn't pay for security vulnerability data, other then instead publicly acknowledges the hard work. paypal doesn't list what it'll pay a researcher to produce a bug.
kugler is listed just like a contributor within the microsoft list from april of security researchers. he aforesaid he received rewards for finding vulnerabilities in yesteryear. mozilla paid him $1, 500 for finding a problem within the whole firefox browser last year and $3, 000 earlier this year for an additional bug.
paypal needs that those reporting bugs feature a verified paypal account. kugler aforesaid he asked paypal that any bounty be paid into his folks account.
at minimum, kugler would like paypal to firmly acknowledge his finding and send him a few documentation that i can employ within the job application, he wrote via email. to this point, he hasnt received something.
the details of one's vulnerability, a cross-site scripting flaw ( xss ), is posted on full disclosure section seclists. org, a forum for disclosing security vulnerabilities.
an xss attack occurs whenever script drawn from another web web site is allowed to firmly run other then shouldn't. the sort of flaw will be applied to firmly steal data or potentially cause different malicious code to firmly run.