Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PayPal Scolds Teenager for Posting to Full Disclosure Mailing List

Robert Kugler, a 17-year-old German student submitted a bug report to PayPal’s bounty program earlier this month, and was told he was too young to receive payment. Since reporting it offered no results, Kugler decided to go public – a move that would touch off another discussion about how vendors should treat researchers who find bugs in their products.

Robert Kugler, a 17-year-old German student submitted a bug report to PayPal’s bounty program earlier this month, and was told he was too young to receive payment. Since reporting it offered no results, Kugler decided to go public – a move that would touch off another discussion about how vendors should treat researchers who find bugs in their products.

PayPal’s decision to disqualifying Kugler from its bounty program prompted him to post his cross-site scripting (XSS) discovery to the Full Disclosure mailing list just before Memorial Day weekend in the U.S. After his story was picked-up by the media, PayPal contacted him again – this time adding a second reason as to why he wouldn’t qualify for payment – someone else had discovered the XSS first.

However, it is the scolding tone of the email when it discusses disclosure that raised some eyebrows.

“PayPal has been a consistent supporter of what is known as ‘responsible disclosure’,” the email states. “That is, ensuring that a company has a reasonable amount of time to fix a bug from notification to public disclosure. This allows the company to fix the bug, so that criminals cannot use that knowledge to exploit it, but still gives the researchers the ability to draw attention to their skills and experience.”

“When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers,” PayPal continued. “We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research.”

While many argued, despite the bounty program’s rules (and due to PayPal not disclosing relevant details sooner) that Kugler should be paid for his efforts, or at the least credited, others disagreed.

“In this case the little guy had no knowledge…the issue was already reported multiple times and the others was [sic] all silent. At the end he lost all … he got no money, his bug got not accepted and he will not get anymore the possibility to report future issues because he broke the policy with a full disclosure for no reason,” commented a researcher from Vulnerability-Lab, which recently reported an SQL Injection issue to PayPal.

Advertisement. Scroll to continue reading.

In the end, Kugler did get something for the effort. He will be the first researcher since PayPal started their bounty program to get a letter of recognition from the company’s CISO, Michael Barrett. In the meantime, PayPal has patched the flaw.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.