Robert Kugler, a 17-year-old German student submitted a bug report to PayPal’s bounty program earlier this month, and was told he was too young to receive payment. Since reporting it offered no results, Kugler decided to go public – a move that would touch off another discussion about how vendors should treat researchers who find bugs in their products.
PayPal’s decision to disqualifying Kugler from its bounty program prompted him to post his cross-site scripting (XSS) discovery to the Full Disclosure mailing list just before Memorial Day weekend in the U.S. After his story was picked-up by the media, PayPal contacted him again – this time adding a second reason as to why he wouldn’t qualify for payment – someone else had discovered the XSS first.
However, it is the scolding tone of the email when it discusses disclosure that raised some eyebrows.
“PayPal has been a consistent supporter of what is known as ‘responsible disclosure’,” the email states. “That is, ensuring that a company has a reasonable amount of time to fix a bug from notification to public disclosure. This allows the company to fix the bug, so that criminals cannot use that knowledge to exploit it, but still gives the researchers the ability to draw attention to their skills and experience.”
“When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers,” PayPal continued. “We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research.”
While many argued, despite the bounty program’s rules (and due to PayPal not disclosing relevant details sooner) that Kugler should be paid for his efforts, or at the least credited, others disagreed.
“In this case the little guy had no knowledge…the issue was already reported multiple times and the others was [sic] all silent. At the end he lost all … he got no money, his bug got not accepted and he will not get anymore the possibility to report future issues because he broke the policy with a full disclosure for no reason,” commented a researcher from Vulnerability-Lab, which recently reported an SQL Injection issue to PayPal.
In the end, Kugler did get something for the effort. He will be the first researcher since PayPal started their bounty program to get a letter of recognition from the company’s CISO, Michael Barrett. In the meantime, PayPal has patched the flaw.