Hacker News new | past | comments | ask | show | jobs | submit login

I've actually submitted, and was recently paid for a Paypal XSS bug. I had the same issue with the expired PGP key and also received the new key from them manually. The whole process took around 4 months to complete for most of which I was left in the dark. The only notification received came in every 2 weeks to notify me that I was still in queue. Paypal paid me $250 initially and another $500 after the bug was fixed.The initial $250 was actually submitted to the email address on the account I was testing with (which had actually already been "Restricted") as opposed my real PayPal address which they requested and I had provided. I was actually surprised by the amount as at no point was I told how much I would receive (I had originally expected the second payment to also be $250). I appreciate the program but they have a lot to learn, in comparison the same process with Etsy took less than a day for them to replicate/patch. Google even with its size takes roughly 3-4 weeks and communicates fairly quickly throughout the entire process. I will say it was rather nice to be able to cash out the bounty in just a few days after each payment but compared to the rest of the companies with bug bounty programs, PayPal's ranks lowest in my opinion.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact