September 21, 2014

PayPal launches bug bounty program

(LiveHacking.Com) – PayPal has joined the likes of Google and Facebook by launching a program which rewards security researcher for finding vulnerabilities in its website and services. The type of vulnerabilities that PayPal are looking for include: XSS, CSRF/XSRF, SQL injections and Authentication bypass errors.

However one type of vulnerability won’t be considered by PayPal, the Logout CSRF. According to PayPal there are multiple techniques like “cookie forcing” and “cookie bombardment” that can make it futile to defend against this attack, and so the Bug Bounty panel will not consider reports of vulnerabilities that force users to be logged out from PayPal.

“We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure,” wrote PayPal. “To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below – we will not bring a private action or refer a matter for public inquiry.”

PayPal hasn’t yet disclosed exactly how much money will be paid for each vulnerability found, but Google pay $500 or more depending on the severity.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks