Great news! A few months ago I submitted a Cross-Site Scripting Vulnerability to the official Bug Bounty program of PayPal:

It was accepted, fixed and fully paid out and I was very excited about the nice bounty ๐Ÿ™‚ :-). Additionally this has been my first participation in an official bug bounty program – and quite a great experience.ย Racing for bugs is fun – especially when beating the big players ;-)! Ok, now the facts: The vulnerability has been taken seriously by the security team and they have taken some time to fix the issue carefully, which is acceptable if you have got a complex site like this one. Therefor I’m still wondering about one very frustrating thing: the communication process. It sometimes took days to weeks to get an answer from the security team, some of my messages are still unanswered until today ๐Ÿ™ I hope PayPal will improve this in the future!

Anyways.

These bug bounty programs are a great way to secure websites and also applications by the hacker community, which makes the product even stronger. Why just take the help of ONE pentesting consultant if you can have a lot of eyes testing your system for good…and reward the researchers with attractive bounties ?

Google is the perfect example (again) (yes, I like them), they pay out every high and critical vulnerability in Chrome and even smaller vulnerabilities on their websites. You find e.g. a SQL-Injection on one of their flagship websites – they’ll pay you around 20.000$, you find a way to exploit their Chrome using a very complex method – they’ll pay you even more, or probably offer you a job ;-). Other vendors like Facebook, Mozilla or Github go this way too and this seems to work quite smoothly. Why is Google’s Chrome considered to be the safest browser on earth ? And why is the Internet Explorer the worst ? There should be more of such bug bounties !

(PayPal) Bug Bounty – A handy way to secure your website
Tagged on:         

3 thoughts on “(PayPal) Bug Bounty – A handy way to secure your website

  • October 11, 2012 at 9:29 am
    Permalink

    How much โ‚ฌ did they pay you for that bug?

    Reply
    • October 11, 2012 at 6:28 pm
      Permalink

      More than I expected – approx the same bounty that Google pays for this kind of vulnerability, but I do not talk about the exact sum publicly. Sorry.

      Reply
  • October 11, 2012 at 2:16 pm
    Permalink

    Cool, thats great Mr.Tux, nice information….I will start to work on this bounty program ๐Ÿ™‚

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.