PayPal is expanding its security-bug-reporting program to include a bounty for reported vulnerabilities, joining a growing list of vendorsincluding Google, Adobe, Mozilla and Facebookwith similar programs.
The online payment services company, like others with bounty programs, is hoping to convince people who find security flaws in its operations to report those vulnerabilities to them rather than selling them on the open market.
PayPal officials are looking for vulnerabilities in four particular areasXSS (cross-site scripting), CSRF (cross-site request forgery), SQL injection or authentication bypassand will determine the amount of bounty to be paid out on a case-by-case basis, depending on the severity and priority of the problem. PayPal developers will fix the vulnerability, then issue the fix to PayPals production environment. Then the person who found the vulnerability will be paidvia PayPal.
Details of PayPal's bounty program can be found on the company's Website.
In a June 21 blog post, Michael Barrett, PayPals chief information security officer, said the bounty program builds upon the bug-reporting initiative the company has had in place for a several years. However, while PayPals bug-reporting program was among the first instituted, it wasnt until the recent successes of the bounty programs from other vendors were made clear that PayPal officials decided to go ahead with their own, Barrett said.
The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive, he wrote. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrongits clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.
With more people spending more of their time and doing more business online, vendors are becoming more aggressive in their efforts to find and close vulnerabilities. Google officials in April increased the amount of money they are willing to pay researchers and hackers who report security flaws, from $3,133.70 to as much as $20,000.
Google said people finding malware that would enable remote-code execution on Googles product systems would get $20,000. A $10,000 bounty was placed on SQL injection and equivalent vulnerabilities, and for what Google officials said are "certain types of information disclosure, authentication and authorization bypass bugs." The maximum for XSS, XSRF and other high-impact flaws in sensitive applications will still fetch up to $3,133.70, they said.
Google has had the bounty program in place since November 2010. Google officials said in April that up to that point, the company had paid out about $460,000 for more than 780 vulnerability reports.
Googles bounty of up to $20,000 greatly outpaces what others offer. Mozilla reportedly offers up to $3,000 per security flaw; Facebook, which started its program in 2011, offers up to $500.
Google began offering bounties for reported vulnerabilities in November 2010, around the same time other companies, like Adobe, started their programs. PayPals Barrett said PayPal, which is owned by online auction giant eBay, is leading the efforts in its industry.
While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so, he wrote. Its yet another example of the innovation that PayPal is bringing to shake up the industry as the world moves more and more payments online.