lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 May 2013 09:13:10 -0400
From: Jeffrey Walton <>
To: Dan Kaminsky <>
Cc: full-disclosure <>
Subject: Re: XSS Vulnerability

On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky <> wrote:
>    So there's this pile of law around the world around work and kids; it's a
> rather recent development that <18 year olds can find problems that
> multibillion dollar interests are willing to pay bounties for.
I'm probably splitting hairs here, but there appears to be a cultural
bias built in. At 17+, Robert would have been of age if he was
Japanese under "Kazoe" year-counting.

> The laws
> are all trying to protect you from being made to pick berries or sew
> t-shirts instead of going to class and playing outside.
The humor was not lost upon me that politicians and lawyers are trying
to legislate morality. How ironic!



> On Fri, May 24, 2013 at 9:38 AM, Robert Kugler <>
> wrote:
>> Hello all!
>> I'm Robert Kugler a 17 years old German student who's interested in
>> securing computer systems.
>> I would like to warn you that is vulnerable to a Cross-Site
>> Scripting vulnerability!
>> PayPal Inc. is running a bug bounty program for professional security
>> researchers.
>> XSS vulnerabilities are in scope. So I tried to take part and sent my find
>> to PayPal Site Security.
>> The vulnerability is located in the search function and can be triggered
>> with the following javascript code:
>> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
>> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
>> ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
>> Screenshot:
>> Unfortunately PayPal disqualified me from receiving any bounty payment
>> because of being 17 years old...
>> PayPal Site Security:
>> "To be eligible for the Bug Bounty Program, you must not:
>> ... Be less than 18 years of age.If PayPal discovers that a researcher
>> does not meet any of the criteria above, PayPal will remove that researcher
>> from the Bug Bounty Program and disqualify them from receiving any bounty
>> payments."
>> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
>> not the best idea when you're interested in motivated security
>> researchers...

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists