PayPal sets up bug bounty program
Posted on 22 June 2012.
Joining the likes of Google, Facebook, Mozilla and others, PayPal has announced that it will be offering money for information about security bugs that affect their site (

"I have the privilege of leading a world renowned security team but we realize that no company can do it all alone," PayPal's CISO Michael Barrett wrote in a blog post. "To that end, we were one of the first companies to implement a bug reporting process for outside security researchers."

"I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong Ė itís clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues," he concluded.

PayPal is searching for reports on XSS (cross site scripting), CSRF (cross site request forgery), SQL injection and authentication bypass vulnerabilities, but hasn't yet specified the bounty amount that the researchers can expect for their disclosures.

In order to be eligible for the bounty, they are bound to share the security issue with PayPal before making it public, provide full details of the security issue, and allow the company reasonable time to respond to the issue before disclosing it publicly.

PayPal also says that if a disclosure respects all the guidelines they outlined, they "will not bring a private action or refer a matter for public inquiry."


How to get better at web application security

Robert Hansen, Vice President of WhiteHat Security Labs, discusses the evolution of web application security, offers advice on how to improve web application security practices, recommends tools, and more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Aug 27th