
PayPal denies teenager reward for finding website bug - uladzislau
http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
======
300bps
If Dwolla, Skrill or another PayPal competitor is paying attention they might
be wise to pay the kid a bounty in the interest of "improving the integrity of
transactions on the web" even if it improved the security of their main
competitor.

Would do right by the kid and would tremendous free publicity for the
companies looking to supplant PayPal.

~~~
will_brown
You clearly understand the value of good PR more than most, certainly more
than PayPal...Something like that might make me consider closing my PP account
for a competitor.

------
gngeal
TL;DR: If you find an exploitable bug in a high-profile web site and discover
that you're ineligible for a bug bounty, sell it to the bad guys instead. They
won't treat you like s##t. ;-)

~~~
JimJames
Out of curiosity, would it be illegal to do that? I mean ethically it's
definitely wrong, and I'm sure it's illegal to sell it to someone if you know
they are going to try and exploit it for profit, is there a technical loophole
to hide behind?

Say, you sell it to someone and to the best of your knowledge they want to
claim the reward for themselves. To justify the increased price you received
by selling it to a third party instead of submitting it for the bug reward you
could say that the third party intends to claim the bug as his own work and
the professional cred they'll receive justifies the increased price.

~~~
afreak
Companies like Vupen exist solely based on the development of exploits for
profit.

~~~
nathan_long
Wow, I didn't realize they could openly advertise that!

------
driverdan
PayPal's bounty system is a joke. Someone told me that he found a PP admin
login page that was vulnerable to SQLi. He notified PP but wasn't rewarded and
the bug hadn't been fixed when he checked it a month later. This was last
year.

~~~
batgaijin
What about that bullshit regulation that credit processors have to pass?
Doesn't that have a clause about timely response/mitigations of reported
bugs/flaws?

~~~
orphz
From what I heard, PayPal exists in the gray area between merchants and banks.

Correct me if I'm wrong, but I don't believe that have to do... well,
anything. They could shut down tomorrow and take all the money and it would be
perfectly legal.

~~~
brazzy
PayPal Europe is actually licensed as a Bank in Luxembourg.

~~~
herge
Being licensed as a Bank in Luxembourg sounds a lot like getting a degree from
the University of Phoenix.

~~~
DanBC
It's a real bank. Luxembourg has cheap corporate tax rates, so all Paypal's
Europe stuff goes through Luxembourg and thus they get cheaper taxes.

~~~
herge
Just because it is called a bank does not mean you'd would want to rely on it.
If Paypal suddenly decided to pull up it's stakes and take all it's customers
money, I would not imagine that Luxembourgois banking law would help a lot of
customers.

~~~
koyote
Do you have any sources confirming that the Luxembourgish banking laws would
allow Paypal (and all the other countless international banks stationed there)
to get away with this?

------
meritt
They'd just lock down his account for suspicious activity as soon as they paid
him, anyway.

------
ionforce
I love the fact that he wanted at least a letter of verification for future
job prospects. Future thinking kid! And, he has a history with Microsoft and
Mozilla, and he's only 17!

I love it.

------
JimmaDaRustla
You need a PayPal account to be eligible for a bounty, which he does not
because you must be 18 to own a PayPal account.

I have a few friends who work for PayPal support; apparently under 18
customers who put in a fake date of birth call all the time because they can't
setup a bank account to receive their money (usually from minecraft server
donations).

~~~
tantalor
When he turns 18 and create a legit account, can he claim the bounty?

~~~
JimmaDaRustla
I would hope so! Or they're just complete bastards.

I'm agreeing with everyone else - the work done is not dependent on age, nor
is the payment of the gratuity, so give him the dough he deserves and quit
embarrassing yourself PayPal!

------
mikerastiello
This is a good example of how to turn a good hacker into a bad hacker.

------
alt_
Original seclist discussion from yesterday:
<https://news.ycombinator.com/item?id=5771647>

------
wladimir
Yet another Paypal PR disaster, they're good at spinning everything in the
worst possible way. What are they trying to do, get some award for world's
least popular company?

------
theboss
No surprise here. I posted my thoughts about this on reddit, as someone who
has dealt with paypal and their bug bounty program.

They will do anything they can to say the vulnerability is out of scope. Even
some heinous vulnerabilities.

It's quite tragic paypal wants to discourage responsible disclosure when one
incident will cost them their reputation.

~~~
6d0debc071
What reputation? As far as I can tell they only manage to stay in business
because banking laws are really perverse so competition's effectively non-
existent if you want to do business with the US.

------
ck2
As previous seen: <https://news.ycombinator.com/item?id=5771647>

(but good to see again)

------
ssharp
I'd imagine before someone reports a vulnerability, they're likely to research
the company's history in dealing with reports. You don't want to openly reduce
the incentives you give to people to report exploits instead of selling them.
So PayPal deals with this exploit without it affecting their users, but their
users now prone to be exploited in the future.

------
dspillett
Facebook to all those under 18: if you find a flaw in our site, sell the
information to the black-hats as you mean nothing to us.

Of course there might be legal reasons for excluding those below a certain age
(though 18 seems high for this boundary) as they don't want their offer to be
seen as employing minors.

~~~
objclxt
Facebook? We're talking about PayPal here. Facebook's vulnerability program
requires you just not be in a country subject to US sanctions (and presumably
be over 13, the age you need to be to have a Facebook account in the first
place).

~~~
dspillett
Sorry, I've been commenting on both companies in another forum and my brain
skipped track there.

For any company that offers bounties, my points are still relevant: not
handing the out to a subset could encourage that subset to look for reward
elsewhere, and the perception of labour use could be an important
consideration.

------
chris_wot
Emailing the link <http://paypal.com> is NOT something you'd generally give a
bug reward for. Like shooting fish in a barrel.

~~~
twistedpair
Hmmm... which they redirect to the <https://> site. How do you hack this
exactly? MITM before the redirect?

~~~
chris_wot
The bug is actually the man himself, who uses PayPal.

------
benawabe896
Looks like PayPal is trying hard to take EA's crown.

~~~
chris_wot
They took it some time ago.

------
denzil_correa
PayPal seriously?!! I think you can pay him after he turns 18 and keep holding
the amount (with interest of course) by that time.

------
Kiro
Off-topic but I thought XSS was about injecting JS which other users can see.
Is this really a vulnerability and not just a bug?

~~~
1SaltwaterC
How many actual users suspect that something is wrong with the input, even
without URL obfuscation? OTOH, with a permanent XSS it is pretty much game
over, even though I doubt that's the case. XSS can do a lot of damage if used
properly.

------
auctiontheory
No one seems to like PayPal. I'm surprised Amazon Payments and Google Checkout
haven't made more headway.

~~~
afreak
[https://support.google.com/checkout/sell/answer/3080449?hl=e...](https://support.google.com/checkout/sell/answer/3080449?hl=en)

Considering Google is retiring checkout, there are not many players out there.

~~~
TheCraiggers
That's not that big a deal. They're basically just retiring the name- Google
Wallet will be taking over and merchants can use it in much the same way.

------
yoster
They could have at least given him Paypal credit or a giftcard. This company
is fucking bullshit. Give the kid a donation to his college fund.

