PayPal is in the process of fixing the cross-site scripting flaw on its Web site that was disclosed last week. The teenage researcher who found and disclosed the bug said Wednesday that PayPal security officials told him that someone else had reported the same vulnerability to them earlier and they’re trying to patch it now.
Robert Kugler, a 17-year-old German student, posted a message on the Full Disclosure mailing list on May 24 disclosing the XSS vulnerability on several of PayPal’s Web sites. He included a screen shot of the bug being exploited and said that he had reported the flaw to PayPal, a subsidiary of eBay, which runs a bug reward program for security researchers. Kugler said that he got a response from PayPal’s security team informing him that he was below the minimum age of 18 to qualify for the reward program, so he posted the information on Full Disclosure instead.
The bug report drew quite a bit of media attention, as did PayPal’s assertion that Kugler didn’t qualify for its reward program. There isn’t any stated age requirement in the guidelines for PayPal’s reward program, but in its email to Kugler, the company’s security team said that he was too young for the program. In a later email, which Kugler posted to the mailing list Wednesday, the security team reiterated that Kugler was too young, but also said that another researcher had reported the same XSS vulnerability to them before he did, which would have disqualified him for the reward in any case.
“With regards to your specific bug submission, we should have also mentioned that the vulnerability you submitted was previously reported by another researcher and we are already actively fixing the issue. We hope that you understand that bugs that have previously been reported to us are not eligible for payment as we must honor the original researcher that provided the vulnerability,” the email says.
A PayPal spokesman said Wednesday that the age requirement isn’t specified in the bug bounty guidelines because it’s related to the requirement that all participants have a verified PayPal account, for which you must be 18 years old in Germany.
“While we always appreciate contributions by the security community to PayPal’s Bug Bounty Program, we reward participants when they are the first to report valid security vulnerabilities. In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so it would not have been eligible for payment, regardless of age, as we must honor the original researcher that provided the vulnerability. We are actively working to fix the vulnerability and we have not found any evidence at this time that any of PayPal’s customers’ information has been compromised,” the PayPal statement said.
“We appreciate the security researcher’s efforts and this situation illustrates that PayPal can do more to recognize younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher’s contribution and we are exploring other ways to recognize younger security researchers when they do discover a vulnerability and responsibly disclose that discovery.”
The message from PayPal to Kugler goes on to chide Kugler for disclosing the vulnerability before it was patched.
“When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers. We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research,” the message says.
Kugler said in an email interview that he was disappointed in the response from PayPal and believes that it was motivated by PR concerns rather than security.
“Their reaction was really disappointing,” he said. “Some people are saying PayPal’s latest response is PR driven – designed to deflect from all the bad publicity for appearing to be age biased against a bright young person and I can’t deny that!”
He added that the experience hasn’t soured him on researching and reporting vulnerabilities. He’s submitted reports to Mozilla and Microsoft in the past, with credit given.
“I think PayPal learned that you can’t ignore younger security researchers,” Kugler said.
In lieu of the monetary reward for submitting a qualifying vulnerability, PayPal sent Kugler a “letter of recognition” from its CISO, Michael Barrett, the first such letter the company says it has sent to any researcher.