lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 May 2013 13:42:32 +0200
From: Robert Kugler <>
To: Jeffrey Walton <>,
Subject: Re: XSS Vulnerability

2013/5/29 Jeffrey Walton <>

> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
> <> wrote:
> > Hello all!
> >
> > I'm Robert Kugler a 17 years old German student who's interested in
> securing
> > computer systems.
> >
> > I would like to warn you that is vulnerable to a Cross-Site
> > Scripting vulnerability!
> > PayPal Inc. is running a bug bounty program for professional security
> > researchers.
> >
> > ...
> > Unfortunately PayPal disqualified me from receiving any bounty payment
> > because of being 17 years old...
> >
> > ...
> > I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
> not
> > the best idea when you're interested in motivated security researchers...
> Fortunately Microsoft and Firefox took a more reasonable positions for
> the bugs you discovered with their products.
> PCWorld and MSN picked up the story:
> and
> .
> It is now news worthy to Wikipedia, where it will live forever under
> Criticisms (unfortunately, it appears PayPal does a lot of
> questionable things so its just one of a long list).
> Jeff

Today I received an email from PayPal Site Security:

"Hi Robert,

We appreciate your research efforts and we are sorry that our
age requirements restrict you from participating in our Bug Bounty Program.
With regards to your specific bug submission, we should have also mentioned
that the vulnerability you submitted was previously reported by another
researcher and we are already actively fixing the issue. We hope that you
understand that bugs that have previously been reported to us are not
eligible for payment as we must honor the original researcher that provided
the vulnerability.

I would also mention that in general, PayPal has been a consistent
supporter of what is known as “responsible disclosure”.  That is, ensuring
that a company has a reasonable amount of time to fix a bug from
notification to public disclosure.  This allows the company to fix the bug,
so that criminals cannot use that knowledge to exploit it, but still gives
the researchers the ability to draw attention to their skills and
experience.  When researchers go down the “full disclosure” path, it then
puts us in a race with criminals who may successfully use the vulnerability
you found to victimize our customers.  We do not support the full
disclosure methodology, precisely because it puts real people at
unnecessary risk. We hope you keep that in mind when doing future research.

We acknowledge that PayPal can do more to recognize younger security
researchers around the world. As a first step, we would like you to be the
first security researcher in the history of our program to receive an
official "Letter of Recognition" from our Chief Information Security
Officer Michael Barrett (attached, will follow up with a signed copy
tomorrow). We truly appreciate your contribution to helping keep PayPal
secure for our customers and we will continue to explore other ways that we
can we provide alternate recognition for younger researchers.

We'd welcome the chance to explain this all to you first hand over the
phone, please email us at this address with a number and good time to reach
you and we’d be happy to follow-up.

Thank you,
PayPal Site Security"

It's still curious that they only mentioned the first researcher who
previously found the bug after all the media attention...Nevertheless I
appreciate their intentions to acknowledge also younger security
researchers, it's a step in the right direction!!

Best regards,

Robert Kugler

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists