mailing list archives
PayPal.com XSS Vulnerability
From: Robert Kugler <robert.kugler10 () gmail com>
Date: Fri, 24 May 2013 18:38:44 +0200
I'm Robert Kugler a 17 years old German student who's interested in
securing computer systems.
I would like to warn you that PayPal.com is vulnerable to a Cross-Site
PayPal Inc. is running a bug bounty program for professional security
XSS vulnerabilities are in scope. So I tried to take part and sent my find
to PayPal Site Security.
The vulnerability is located in the search function and can be triggered
Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old...
PayPal Site Security:
"To be eligible for the Bug Bounty Program, you *must not*:
... Be less than 18 years of age.If PayPal discovers that a researcher does
not meet any of the criteria above, PayPal will remove that researcher from
the Bug Bounty Program and disqualify them from receiving any bounty
I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
not the best idea when you're interested in motivated security
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- PayPal.com XSS Vulnerability Robert Kugler (May 25)