Robert Kugler and Paypal’s bug bounty eligibility requirements

For professional security researchers, participating in bug bounty programs is one means of earning money on the side. It is also the easiest means of building up street-cred. And many companies take advantage of their skills, recognizing that its either they find and fix bugs in their products first or the bad guys do and exploit them. For Black Hats, the underground market for exploit code is a very lucrative one.

So, many companies run these bug bounty programs to encourage White-Hat security professionals to show off their skills and make some money, while doing so. Robert Kugler is one such security professional who took part in Paypal’s bug bounty program. He found a Cross-Site Scripting (XSS) bug on Paypal.com and reported it, hoping to collect whatever reward was due.

But Paypal refused to pay. Why? At 17 years of age, Robert Kugler, according to Paypal, does not meet the age-related eligibility requirement for participating in the program. Curiously, that specific requirement is not stated in the publicly available description of the program, which is available here.

Not happy with Paypal for refusing to pay, Robert posted his finding (and the exploit code) at Packet Storm.

The email exchange between him and Paypal is shown in the three images.

Paypal Bug Bounty Robert Kugler

Paypal Bug Bounty Robert Kugler XSS

Paypal Bug Bounty Robert Kugler XSS

I think if this age-related requirement had been made very clear in the programs description, Paypal would have a good case for refusing to pay the bounty to Robert. So obviously, Robert is not a very happy kid. Paypal recognizes that and is trying to patch things up.

But Paypal’s way of compensating Robert for his efforts is a “Letter of Appreciation,” which you may read here (PDF file).

In that letter, Paypal promised to send him “some more tangible signs of our appreciation of your efforts.” Let’s wait and see what Paypal’s “more tangible signs of our appreciation” translates into.

Related Posts

Upgrade Ubuntu 12.04 server to 14.04 ‘Tis the season for upgrading. First was upgrading OSSEC from 2.7 to 2.8, see Upgrading OSSEC 2.7 to 2.8 and the bro-ids rule issue. Now's the time...
How to install and configure NTP on Sabayon 5 Sabayon is a Gentoo-based, GNU/Linux distribution. The latest version, Sabayon 5, was released on October 2, 2009. The GNOME edition was just reviewed...
How to customize GNOME 3.12 GNOME Shell This tutorial shows how to customize a GNOME 3 desktop, that is, take a plain-vanilla GNOME Shell and transform it into a desktop that is a little bit...
Managing startup applications on Deepin 2014 Since Deepin 2014 was released, I've been trying to figure how how to add and remove applications from the startup applications manager. Turns out tha...
Customizing Zenwalk Linux 6 Xfce Desktop Zenwalk is a Slackware-derived Linux distribution. The latest upgrade - Zenwalk 6 - was just recently. If you have not done so already, you may read ...
Dual-boot Windows 7, Linux Mint Debian Edition 2 on a PC with UEFI firmware Linux Mint Debian Edition (LMDE) is a desktop distribution that's based on Debian. It's from the same folks responsible for Linux Mint, which is based...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


One Comment

  1. Hope PayPal likes having zero-days posted to the FD list with no advance warning.

Leave a Comment

Your email address will not be published. Required fields are marked *

*