lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 May 2013 20:15:13 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: PayPal.com XSS Vulnerability

Let me provide an answer regarding the conversation of the young
researcher < Paypal and the 13 more paypal xss post.

Priority #1 - PayPal checks if all rules are successful granted
Priority #2 - PayPal checks & validate the issue

#1 The guy did not read the participation rules and made at the end a
full disclosure for fame
#2 The issue was already reported and paypal is preparing a patch with
priority influence

If you do not want to see or accept the truth ... you should as minimum
grant the researcher the credits.
The little indian forcer scene from the govt with the mohit kumar
mythology wants there bugs patched within one day
and tomorrow get a payout but in the real world this is not possible
easily. They also have concepts to prevent and
check the affects of patches and co.

In this case the little guy had no knowledge about the issue was already
reported multiple times and the others was all silent.
At the end he lost all ... he got no money, his bug got not accepted and
he will not get anymore the possibility to report future issues because
he broke the policy with a full disclosure for no reason.

I will continue to report my issues to paypal to get bug bounty rewards
since yet all was correct.
When i saw the news i was a bit stunned how evil the news groups
published the news against paypal since the facts are on the table.

~bkm

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@...nerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists