"I have the privilege of leading a world renowned security team but we realize that no company can do it all alone," PayPal's CISO Michael Barrett wrote in a blog post. "To that end, we were one of the first companies to implement a bug reporting process for outside security researchers."
"I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues," he concluded.
PayPal is searching for reports on XSS (cross site scripting), CSRF (cross site request forgery), SQL injection and authentication bypass vulnerabilities, but hasn't yet specified the bounty amount that the researchers can expect for their disclosures.
In order to be eligible for the bounty, they are bound to share the security issue with PayPal before making it public, provide full details of the security issue, and allow the company reasonable time to respond to the issue before disclosing it publicly.
PayPal also says that if a disclosure respects all the guidelines they outlined, they "will not bring a private action or refer a matter for public inquiry."