PayPal denies teenager reward for finding website bug

PayPal link many other huge corporations with internet operations has a “bug bounty program” where they will pay researchers for finding bugs, glitches, exploits in there stuff. In this case a 17 yr old kid from Germany by the name of Robert Kugler finds a vulnerability in 1 of PayPal’s site… guess what PayPal won’t pay him citing some terms which are not actually part of the bug bounty terms (typical PayPal behaviour then) there picking on the kids age, they say he needs a verified PayPal account, he can’t have one because he’s not 18, so he asked for the reward to be paid into his parents account but PayPal won’t because “technically” the parents did not find the bug, the kid also asked for a letter so he can use it on job apps they have not come forward with that yet either. So next time he finds something I wonder where he’s going to be sending that information…

paypal hack exploit crack zero day vulnerability

Oddly I trust this guy more than PayPal

More info on the story :

The orig. posting on “Full Disclosure” (seclists.org/fulldisclosure/2013/May/163) and a mirror :

Hello all!

I'm Robert Kugler a 17 years old German student who's interested in
securing computer systems.

I would like to warn you that PayPal.com is vulnerable to a Cross-Site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

XSS vulnerabilities are in scope. So I tried to take part and sent my find
to PayPal Site Security.

The vulnerability is located in the search function and can be triggered
with the following javascript code:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search

Screenshot: http://picturepush.com/public/13144090

Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old...

PayPal Site Security:

"To be eligible for the Bug Bounty Program, you *must not*:
... Be less than 18 years of age.If PayPal discovers that a researcher does
not meet any of the criteria above, PayPal will remove that researcher from
the Bug Bounty Program and disqualify them from receiving any bounty
payments."

I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
not the best idea when you're interested in motivated security
researchers...

Best regards,

Robert Kugler

PC World article : www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html

One comment

  1. Its how people get rich, by ripping off other people. Use people as much as possible and not pay them, been down that road many times myself. I guess the kid got a first rate example on how business’s work! totally sux of course.

Leave a Reply

Your email address will not be published. Required fields are marked *