PayPal's bug bounty begins

PayPal has announced a bug bounty programme for security researchers, following in the footsteps of Mozilla, Google and Facebook in offering cash rewards for responsibly disclosed flaws. Michael Barrett, Chief Information Security Officer at PayPal, said that the experiences of those companies had been positive and that had overcome the reservations he had about paying researchers for bug reports. "It's clearly an effective way to increase researchers' attention on internet-based services and therefore find more potential issues."

The new programme is built on PayPal's previous un-remunerated bug reporting programme. According to the For Security Researchers page, PayPal will accept bug reports and then examine and classify them. Vulnerabilities that qualify for the bounty include Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi) and authentication bypassing.

Specifically excluded from the bounty programme are CSRF vulnerabilities which force the user to be logged out of the PayPal site. PayPal asks that researchers do not engage in work on potential or actual denial of service of PayPal systems or use any exploit to view another user's data without their authorisation.

The company says that when it has fixed the reported bug, it will make a payment, via PayPal, to the researcher. The online documentation does not reveal the range of payments, but it is believed to be, depending on severity and particular exceptions, between $500 and $5000. PayPal is probably hoping that the new programme will ensure that embarrassing incidents like the discovery of an XSS flaw in the German version of PayPal will be reported to them.

(djwm)