PayPal is the latest company to join the ranks of software vendors and Web properties that offer bounties to security researchers who privately disclose new bugs to them. The company isn’t saying how much it will pay for each bug, just that its security team will determine the severity of each flaw as well as the ultimate payout.
PayPal’s decision to offer financial incentives to researchers follows the establishment of similar programs by companies including Google, Mozilla, Facebook, Barracuda and others. Google’s bug bounty program may be the most well-known and comprehensive, as it includes bugs not just in its software products such as Chrome, but also its Web properties. The company has paid out more than $400,000 in rewards to researchers since the program began and researchers who consistently find bugs in Google’s products can make a nice side income off the program.
Now PayPal is entering the fray at a time when financial fraud and attacks against high-profile Web sites are at a fever pitch. The company’s top security official said that he believes PayPal is the first financial services company to start such a program.
“Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues,” Michael Barrett, PayPal’s CISO, said.
There are only four types of vulnerabilities that are in scope for PayPal’s program: XSS, CSRF (cross-site request forgery), SQL injection and authentication bypass. Doing vulnerability research on Web applications has been a thorny issue for researchers, as it involves manipulating data or sessions on other people’s sites and is not the same as testing desktop or server apps on your own machine. PayPal is asking that researchers not engage in research on their site that involves “potential or actual denial of service of PayPal applications and systems or use of an exploit to view data without authorization, or corruption of data.”
PayPal, like other vendors who have bug bounty systems, asks that researchers notify the company of the vulnerability first and give it a reasonable amount of time to address the problem before disclosing it publicly.