PayPal sets up bug bounty program
Posted on 22 June 2012.
Joining the likes of Google, Facebook, Mozilla and others, PayPal has announced that it will be offering money for information about security bugs that affect their site (

"I have the privilege of leading a world renowned security team but we realize that no company can do it all alone," PayPal's CISO Michael Barrett wrote in a blog post. "To that end, we were one of the first companies to implement a bug reporting process for outside security researchers."

"I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong its clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues," he concluded.

PayPal is searching for reports on XSS (cross site scripting), CSRF (cross site request forgery), SQL injection and authentication bypass vulnerabilities, but hasn't yet specified the bounty amount that the researchers can expect for their disclosures.

In order to be eligible for the bounty, they are bound to share the security issue with PayPal before making it public, provide full details of the security issue, and allow the company reasonable time to respond to the issue before disclosing it publicly.

PayPal also says that if a disclosure respects all the guidelines they outlined, they "will not bring a private action or refer a matter for public inquiry."


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th