PayPal Starts Bug Bounty Program For Security Research

PayPal is the latest company to join the ranks of software vendors and Web properties that offer bounties to security researchers who privately disclose new bugs to them. The company isn’t saying how much it will pay for each bug, just that its security team will determine the severity of each flaw as well as the ultimate payout.

PayPal is the latest company to join the ranks of software vendors and Web properties that offer bounties to security researchers who privately disclose new bugs to them. The company isn’t saying how much it will pay for each bug, just that its security team will determine the severity of each flaw as well as the ultimate payout.

PayPal’s decision to offer financial incentives to researchers follows the establishment of similar programs by companies including Google, Mozilla, Facebook, Barracuda and others. Google’s bug bounty program may be the most well-known and comprehensive, as it includes bugs not just in its software products such as Chrome, but also its Web properties. The company has paid out more than $400,000 in rewards to researchers since the program began and researchers who consistently find bugs in Google’s products can make a nice side income off the program.

Now PayPal is entering the fray at a time when financial fraud and attacks against high-profile Web sites are at a fever pitch. The company’s top security official said that he believes PayPal is the first financial services company to start such a program. 

“Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have  implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues,” Michael Barrett, PayPal’s CISO, said.

There are only four types of vulnerabilities that are in scope for PayPal’s program: XSS, CSRF (cross-site request forgery), SQL injection and authentication bypass. Doing vulnerability research on Web applications has been a thorny issue for researchers, as it involves manipulating data or sessions on other people’s sites and is not the same as testing desktop or server apps on your own machine. PayPal is asking that researchers not engage in research on their site that involves “potential or actual denial of service of PayPal applications and systems or use of an exploit to view data without authorization, or corruption of data.”

PayPal, like other vendors who have bug bounty systems, asks that researchers notify the company of the vulnerability first and give it a reasonable amount of time to address the problem before disclosing it publicly.

Suggested articles

Discussion

  • 2012marandalaw on

    What do these researchers do,when they find a Software Bug?Nothing! They get paid to do Nothing! I can do that job..

  • Philip Cohen on

    Now that Visa’s online digital wallet, V.me, is up and running (see buy.com), with MasterCard’s offering soon to follow, PayPal will need to offer more than a "bug bounty to uncover security holes" for it to survive outside of the atrophying eBay Marketplace, for even another year, I suspect.
     
    Indeed, I doubt that anything can now save these two most despised entities, eBafia and PreyPal, from the destruction that has been wrought on them by the headless turkey from Bain & Co, John Edward Donahoe …
     
    And to think that five years ago the stock prices of both eBay and Amazon were ~$40. Please  guys, stop regurgitating all that nonsense that habitually emanates from the eBay Dept of Spin. The old whale is high and dry on the beach; it is moribund; let it die in peace; (and, stock analysts, stop trying to shill investors into wasting their money on this loser, eBafia, and its ugly adopted daughter, PreyPal.) 
     
    eBay / PayPal / Donahoe: Dead Men Walking

  • Anonymous on

    Bug Bounty 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.