Categories: SecurityWorkspace

PayPal Defends Denying 17-Year-Old His Bug Bounty

PayPal has given two reasons why a 17-year-old was not rewarded for finding a potentially serious vulnerability on the payment platform’s website: he was not old enough and the flaw had already been found.

German student Robert Kugler decided to disclose the cross-site scripting (XSS) vulnerability on Seclists.Org after PayPal turned him away.

He found the vulnerability in the search function of the site, triggering it with some JavaScript code, as is normal with XSS flaws. Such attacks typically see a hacker send the victim a link, which will have them enter JavaScript code into the vulnerable website form. That code would include a command to pass cookies on to the hacker’s own domain.

“I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you’re interested in motivated security researcher,” he wrote.

PayPal defence

The eBay-owned company came in for some stick on Reddit, where one user noted Google and Mozilla pay under-age participants if they get an adult’s permission. Given the lack of security talent available globally, companies should reward youngsters for their findings, according to security experts.

But PayPal has defended its actions. “While we appreciate Mr. Kugler’s contribution to PayPal’s Bug Bounty Program, we can confirm that the cross-scripting vulnerability he identified was already discovered by another security researcher and Mr. Kugler is ineligible to participate in the program since he is under 18 years old,” a spokesperson said, in an emailed statement sent to TechWeekEurope.

“We are working quickly to fix the cross-scripting issue, and we have not found any evidence at this time that our customers’ information has been compromised by this vulnerability.

“We recognise and appreciate Mr. Kugler’s efforts, and we look forward to continue working with the security community to receive bug submissions that are responsibly disclosed.”

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

5 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

6 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

22 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago