I’m a big fan of bug bounty programs. I simply think it’s better to invite hackers to find your weaknesses and reward them financially than to bury your head in the sand at the suggestion your products have security holes. So I welcome news that PayPal is jumping on the bounty bandwagon. PayPal CISO Michael Barrett announced the bug bounty in a blog post, saying: I have the privilege of leading a world renowned security team but we realize that no company can do it all alone. Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues. Here’s how Barrett described the new process: 1. Researchers submit bug reports to us, via the same secure reporting process using PGP encryption that we had in place previously. 2. We categorize the report into one of four categories: XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), SQL Injection or Authentication Bypass 3. We will then determine the severity and priority of the problem and our developers will fix the issue and then release the fix into our production environment. 4. We then pay the researcher – via PayPal, of course – once the bug is fixed. It used to be that when researchers found a vulnerability in a vendor’s products, the vendor would ignore the details and complain to the press about hackers putting their customers at risk by irresponsibly exposing flaws. Actually, it’s still that way for some companies. But in recent years we’ve seen more of a shift toward bug bounty programs. PayPal deserves congratulations for taking this step in the right direction. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe