“I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong — it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues,” company CISO Michael Barrett wrote in a blog post.
“White hat researchers can focus on four categories: XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), SQL Injection or Authentication Bypass,” writes GigaOM’s Ryan Kim. “After submitting bug reports through the existing PGP-encrypted reporting process, PayPal will set about determining the severity of the problem and will issue a fix if necessary. The first researcher to discover a previously unknown bug will be awarded at the discretion of PayPal, which will determine the bounty amount. And the bounty will, of course, be paid via PayPal.”
“PayPal, like other vendors who have bug bounty systems, asks that researchers notify the company of the vulnerability first and give it a reasonable amount of time to address the problem before disclosing it publicly,” writes Threatpost’s Dennis Fisher.
“PayPal has not set a bounty payout amount, so it is unclear how much various researchers may earn for their services,” writes PCMag.com’s Stephanie Miot. “Google recently hugely increased its payouts from $3,133 to $20,000, while Mozilla pays $3,000 for each security bug a third-party researcher discovers. Facebook reported a whopping $40,000 payout in the early weeks of its program.”