lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 May 2013 15:04:55 +0100
From: James Condron <james@...o-internet.org.uk>
To: noloader@...il.com
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: PayPal.com XSS Vulnerability

Hrm,

I read it that the issue was still the age but that the previous disclosure was another reason they had found. Its sneaky and poor but I didn't read it as a change in reason; just an additional thing they found. It may even be true.

The fact is they handled this poorly but whether they're lying about another person finding it or not had they been cleverly dishonest they would have gone with that in the first place.

They ought really pay, though.

On 29 May 2013, at 14:51, Jeffrey Walton <noloader@...il.com> wrote:

> Hi James,
> 
>> I guess the email from ebay sorta makes it all moot anyway.
> Its interesting how the reason code changed. On May 24 the reason was
> Kugler was too young; and then on May 29 the reason was the flaw was
> previously reported.
> 
> It sounds like PayPal is lying to bring this to an end; and they've
> lost more credibility.
> 
> Jeff
> 
> On Wed, May 29, 2013 at 9:22 AM, James Condron
> <james@...o-internet.org.uk> wrote:
>> Ah, but then don't forget that in a contract (which this most certainly is not- but the parallels are there) ambiguity benefits the party which didn't draft the document.
>> 
>> If its reasonable to infer a payment, and reasonable to fail to infer an age range, I think its reasonable to get paid for it.
>> 
>> I guess the email from ebay sorta makes it all moot anyway.
>> 
>> On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivimaki@...il.com> wrote:
>> 
>>> Well, they don't exactly state that they're going to pay you either.
>>> 
>>> 
>>> 2013/5/29 Źmicier Januszkiewicz <gauri@....by>
>>> 
>>>> Hmm, interesting.
>>>> 
>>>> For some reason I fail to find the mentioned "age requirements" at the
>>>> official bug bounty page located at
>>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>>> Am I looking in the wrong direction? Can someone please point to where
>>>> this is written?
>>>> 
>>>> With kind regards,
>>>> Z.
>>>> 
>>>> 
>>>> 2013/5/29 Robert Kugler <robert.kugler10@...il.com>
>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 2013/5/29 Jeffrey Walton <noloader@...il.com>
>>>>> 
>>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
>>>>>> <robert.kugler10@...il.com> wrote:
>>>>>>> Hello all!
>>>>>>> 
>>>>>>> I'm Robert Kugler a 17 years old German student who's interested in
>>>>>> securing
>>>>>>> computer systems.
>>>>>>> 
>>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>>>>>>> Scripting vulnerability!
>>>>>>> PayPal Inc. is running a bug bounty program for professional security
>>>>>>> researchers.
>>>>>>> 
>>>>>>> ...
>>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment
>>>>>>> because of being 17 years old...
>>>>>>> 
>>>>>>> ...
>>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but
>>>>>> it’s not
>>>>>>> the best idea when you're interested in motivated security
>>>>>> researchers...
>>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for
>>>>>> the bugs you discovered with their products.
>>>>>> 
>>>>>> PCWorld and MSN picked up the story:
>>>>>> 
>>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
>>>>>> and
>>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
>>>>>> .
>>>>>> It is now news worthy to Wikipedia, where it will live forever under
>>>>>> Criticisms (unfortunately, it appears PayPal does a lot of
>>>>>> questionable things so its just one of a long list).
>>>>>> 
>>>>>> Jeff
>>>>>> 
>>>>> 
>>>>> Today I received an email from PayPal Site Security:
>>>>> 
>>>>> "Hi Robert,
>>>>> 
>>>>> We appreciate your research efforts and we are sorry that our
>>>>> age requirements restrict you from participating in our Bug Bounty Program.
>>>>> With regards to your specific bug submission, we should have also mentioned
>>>>> that the vulnerability you submitted was previously reported by another
>>>>> researcher and we are already actively fixing the issue. We hope that you
>>>>> understand that bugs that have previously been reported to us are not
>>>>> eligible for payment as we must honor the original researcher that provided
>>>>> the vulnerability.
>>>>> 
>>>>> I would also mention that in general, PayPal has been a consistent
>>>>> supporter of what is known as “responsible disclosure”.  That is, ensuring
>>>>> that a company has a reasonable amount of time to fix a bug from
>>>>> notification to public disclosure.  This allows the company to fix the bug,
>>>>> so that criminals cannot use that knowledge to exploit it, but still gives
>>>>> the researchers the ability to draw attention to their skills and
>>>>> experience.  When researchers go down the “full disclosure” path, it then
>>>>> puts us in a race with criminals who may successfully use the vulnerability
>>>>> you found to victimize our customers.  We do not support the full
>>>>> disclosure methodology, precisely because it puts real people at
>>>>> unnecessary risk. We hope you keep that in mind when doing future research.
>>>>> 
>>>>> We acknowledge that PayPal can do more to recognize younger security
>>>>> researchers around the world. As a first step, we would like you to be the
>>>>> first security researcher in the history of our program to receive an
>>>>> official "Letter of Recognition" from our Chief Information Security
>>>>> Officer Michael Barrett (attached, will follow up with a signed copy
>>>>> tomorrow). We truly appreciate your contribution to helping keep PayPal
>>>>> secure for our customers and we will continue to explore other ways that we
>>>>> can we provide alternate recognition for younger researchers.
>>>>> 
>>>>> We'd welcome the chance to explain this all to you first hand over the
>>>>> phone, please email us at this address with a number and good time to reach
>>>>> you and we’d be happy to follow-up.
>>>>> 
>>>>> Thank you,
>>>>> PayPal Site Security"
>>>>> 
>>>>> It's still curious that they only mentioned the first researcher who
>>>>> previously found the bug after all the media attention...Nevertheless I
>>>>> appreciate their intentions to acknowledge also younger security
>>>>> researchers, it's a step in the right direction!!
>>>>> 
>>>>> Best regards,
>>>>> 
>>>>> Robert Kugler

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists