PayPal denies stiffing bug-hunting teen on bounty
Someone else got there first, claims firm
PayPal has denied that it refused a teenage security researcher a reward for finding a potentially nasty bug on the basis that he was too young. The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.
Robert Kugler, 17, found a cross-site scripting flaw on the payment processing firm's website before claiming a reward under PayPal's bug bounty programme.
Initially, Kugler claimed PayPal had told him in an email that he was ineligible for a reward because he was too young.
The terms and conditions for the reward scheme do not mention anything about the bounty being restricted to those over 18.
The German student recently published details of the bug, along with what he claimed were extracts from his email correspondence with PayPal, on a full disclosure mailing list, provoking damaging headlines along the lines of "PayPal Stiffs Teen Who Found Website Bug".
In response to queries from El Reg, PayPal said Kugler had been denied the reward not because he was too young, but because someone else had previously reported the same flaw, directly contradicting Kugler's account.
The eBay payments subsidiary said it was resolving the vulnerability, stressing that there was no evidence that it had been abused in any attacks to date and therefore no need for undue concern.
While we always appreciate contributions by the security community to PayPal's Bug Bounty Program, we reward participants when they are the first to report valid security vulnerabilities.
In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so [the bug] would not have been eligible for payment, regardless of age [of the researcher], as we must honour the original researcher that provided the vulnerability.
We appreciate the security researcher's efforts and this situation illustrates that PayPal can do more to recognise younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher's contribution and we are exploring other ways to recognise younger security researchers when they do discover a vulnerability and responsibly disclose that discovery.
PayPal's conditions do state that its bounty is only awarded to the first person that discovers the previously unknown bug. El Reg asked PayPal which researcher was first to report this bug, as well as how many bug bounties it had paid out. It declined to answer both questions, so we're none the wiser.
"PayPal does not share the details on the researchers or the number of bugs found," a spokesman said.
Kugler said he is less than impressed with PayPal's handling of his vulnerability report and how it runs its bug bounty programme more generally.
"It's a strange behaviour from PayPal," Kugler told El Reg. He claimed: "In my email correspondence with PayPal, no one ever mentioned someone else found the bug! They only said: 'You're disqualified because of being 17 years old'."
He went on to claim: "After all that media attention they introduced: 'No, we disqualified his bug because someone else already found it, not for being 17 years old'. Maybe it's just me, but I think they just want to avoid the payment. Two security researchers (one from China and one from India) found the same bug and always the same reply: Someone else found it, we are sorry!"
XSS marks the spot
Cross-site scripting (XSS) vulnerabilities arise from web application development mistakes. Attackers can exploit XSS vulns to inject scripts or pop-ups from untrusted sites that would appear to surfers as originating from the site they are visiting. XSS flaws are a common vuln, most regularly abused in phishing attacks.
The cross-site scripting flaw in the search function on PayPal's German site which Kugler (and perhaps others) discovered is a bit more serious, however, because it is capable of being abused to access credentials.
"An XSS attack occurs when a script drawn from another website is allowed to run but should not," Kugler explained. "The type of flaw can be used to steal information or potentially cause other malicious code to run."
The PayPal XSS bug was fixed on Wednesday, according to Kugler.
A bug's life
Bug bounty programmes have become commonplace across the industry over recent years. The schemes offer an incentive for researchers to report flaws to vendors, rather than selling details of them on vulnerability marketplaces to whoever stumps up enough cash.
Google, in particular, is an expert at attracting media attention to its own bug bounty programme. PayPal, by contrast, is reluctant to talk about its own vulnerability reward scheme, perhaps because the nature of its payment-handling business makes it reluctant to get drawn into a any kind of discussion about the security of its website.
The only known recipient of a bug bounty from PayPal is Germany-based security research outfit Vulnerability Laboratory, which earned a $3,000 reward back in January after discovering and reporting a critical bug to PayPal five months prior.
The flaw, a SQL injection vulnerability in the official PayPal GP+ Web Application Service, created a potential mechanism for hackers to inject commands through the compromised web app into the backend databases, potentially tricking them into coughing up sensitive data in the process.
Although he struck out when he reported a problem to PayPal, Kugler has successfully collaborated with other vendors.
The German teen has received a $3,000 award from Mozilla for finding a privilege escalation bug in Firefox, and another $1,500 for locating a separate flaw in Mozilla Updater. He also received a hat tip for security research from Microsoft, getting a shout out on its list of security researchers - though no financial reward for his efforts as yet.
"IT security is an interesting topic and I like to test things," Kugler told El Reg. "Sometimes things work differently under special circumstances, it's exciting to study this behaviour." ®
* Additional reporting by Iain Thomson
Sponsored: Network DDoS protection