PayPal Offers Bounty for Reported Security Bugs

PayPal, owned by eBay, joins Google, Facebook, Mozilla and others in offering money to security researchers to report vulnerabilities.

PayPal is expanding its security-bug-reporting program to include a bounty for reported vulnerabilities, joining a growing list of vendors€”including Google, Adobe, Mozilla and Facebook€”with similar programs.

The online payment services company, like others with bounty programs, is hoping to convince people who find security flaws in its operations to report those vulnerabilities to them rather than selling them on the open market.

PayPal officials are looking for vulnerabilities in four particular areas€”XSS (cross-site scripting), CSRF (cross-site request forgery), SQL injection or authentication bypass€”and will determine the amount of bounty to be paid out on a case-by-case basis, depending on the severity and priority of the problem. PayPal developers will fix the vulnerability, then issue the fix to PayPal€™s production environment. Then the person who found the vulnerability will be paid€”via PayPal.

Details of PayPal's bounty program can be found on the company's Website.

In a June 21 blog post, Michael Barrett, PayPal€™s chief information security officer, said the bounty program builds upon the bug-reporting initiative the company has had in place for a several years. However, while PayPal€™s bug-reporting program was among the first instituted, it wasn€™t until the recent successes of the bounty programs from other vendors were made clear that PayPal officials decided to go ahead with their own, Barrett said.

€œThe experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive,€ he wrote. €œI originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong€”it€™s clearly an effective way to increase researchers€™ attention on Internet-based services and therefore find more potential issues.€

With more people spending more of their time and doing more business online, vendors are becoming more aggressive in their efforts to find and close vulnerabilities. Google officials in April increased the amount of money they are willing to pay researchers and hackers who report security flaws, from $3,133.70 to as much as $20,000.

Google said people finding malware that would enable remote-code execution on Google€™s product systems would get $20,000. A $10,000 bounty was placed on SQL injection and equivalent vulnerabilities, and for what Google officials said are "certain types of information disclosure, authentication and authorization bypass bugs." The maximum for XSS, XSRF and other high-impact flaws in sensitive applications will still fetch up to $3,133.70, they said.

Google has had the bounty program in place since November 2010. Google officials said in April that up to that point, the company had paid out about $460,000 for more than 780 vulnerability reports.

Google€™s bounty of up to $20,000 greatly outpaces what others offer. Mozilla reportedly offers up to $3,000 per security flaw; Facebook, which started its program in 2011, offers up to $500.

Google began offering bounties for reported vulnerabilities in November 2010, around the same time other companies, like Adobe, started their programs. PayPal€™s Barrett said PayPal, which is owned by online auction giant eBay, is leading the efforts in its industry.

€œWhile a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so,€ he wrote. €œIt€™s yet another example of the innovation that PayPal is bringing to shake up the industry as the world moves more and more payments online.€