If Dwolla, Skrill or another PayPal competitor is paying attention they might be wise to pay the kid a bounty in the interest of "improving the integrity of transactions on the web" even if it improved the security of their main competitor.
Would do right by the kid and would tremendous free publicity for the companies looking to supplant PayPal.
You clearly understand the value of good PR more than most, certainly more than PayPal...Something like that might make me consider closing my PP account for a competitor.
TL;DR: If you find an exploitable bug in a high-profile web site and discover that you're ineligible for a bug bounty, sell it to the bad guys instead. They won't treat you like s##t. ;-)
Out of curiosity, would it be illegal to do that? I mean ethically it's definitely wrong, and I'm sure it's illegal to sell it to someone if you know they are going to try and exploit it for profit, is there a technical loophole to hide behind?
Say, you sell it to someone and to the best of your knowledge they want to claim the reward for themselves. To justify the increased price you received by selling it to a third party instead of submitting it for the bug reward you could say that the third party intends to claim the bug as his own work and the professional cred they'll receive justifies the increased price.
Well, the US government buys exploits from people [1], which means it must be legal in the US. The government would never do anything against the law, right?
PayPal's bounty system is a joke. Someone told me that he found a PP admin login page that was vulnerable to SQLi. He notified PP but wasn't rewarded and the bug hadn't been fixed when he checked it a month later. This was last year.
What about that bullshit regulation that credit processors have to pass? Doesn't that have a clause about timely response/mitigations of reported bugs/flaws?
From what I heard, PayPal exists in the gray area between merchants and banks.
Correct me if I'm wrong, but I don't believe that have to do... well, anything. They could shut down tomorrow and take all the money and it would be perfectly legal.
Just because it is called a bank does not mean you'd would want to rely on it. If Paypal suddenly decided to pull up it's stakes and take all it's customers money, I would not imagine that Luxembourgois banking law would help a lot of customers.
Do you have any sources confirming that the Luxembourgish banking laws would allow Paypal (and all the other countless international banks stationed there) to get away with this?
> They could shut down tomorrow and take all the money and it would be perfectly legal.
There may be less protection than if they were banks, but it would hardly be legal. They might be able to steal the money and escape with them in a way a bank can't, but again, not legal.
I love the fact that he wanted at least a letter of verification for future job prospects. Future thinking kid! And, he has a history with Microsoft and Mozilla, and he's only 17!
You need a PayPal account to be eligible for a bounty, which he does not because you must be 18 to own a PayPal account.
I have a few friends who work for PayPal support; apparently under 18 customers who put in a fake date of birth call all the time because they can't setup a bank account to receive their money (usually from minecraft server donations).
I would hope so! Or they're just complete bastards.
I'm agreeing with everyone else - the work done is not dependent on age, nor is the payment of the gratuity, so give him the dough he deserves and quit embarrassing yourself PayPal!
Yet another Paypal PR disaster, they're good at spinning everything in the worst possible way. What are they trying to do, get some award for world's least popular company?
What reputation? As far as I can tell they only manage to stay in business because banking laws are really perverse so competition's effectively non-existent if you want to do business with the US.
I'd imagine before someone reports a vulnerability, they're likely to research the company's history in dealing with reports. You don't want to openly reduce the incentives you give to people to report exploits instead of selling them. So PayPal deals with this exploit without it affecting their users, but their users now prone to be exploited in the future.
Facebook to all those under 18: if you find a flaw in our site, sell the information to the black-hats as you mean nothing to us.
Of course there might be legal reasons for excluding those below a certain age (though 18 seems high for this boundary) as they don't want their offer to be seen as employing minors.
Facebook? We're talking about PayPal here. Facebook's vulnerability program requires you just not be in a country subject to US sanctions (and presumably be over 13, the age you need to be to have a Facebook account in the first place).
Sorry, I've been commenting on both companies in another forum and my brain skipped track there.
For any company that offers bounties, my points are still relevant: not handing the out to a subset could encourage that subset to look for reward elsewhere, and the perception of labour use could be an important consideration.
I'm not saying it is, just that it might be perceived to be.
Public relations has nothing to do with true facts, it has everything to do with how people interpret the details they see. If someone does mis-interpret and get on their high horse, others will join in without checking the facts themselves and it can be a nightmare trying to point out the truth of the matter over all that noise.
Sorry, I was discussing both companies in another forum just before coming over here. My poor little brain skipped track and had me type the wrong name...
How many actual users suspect that something is wrong with the input, even without URL obfuscation? OTOH, with a permanent XSS it is pretty much game over, even though I doubt that's the case. XSS can do a lot of damage if used properly.
Would do right by the kid and would tremendous free publicity for the companies looking to supplant PayPal.