• United States



PayPal jumps on the bug bounty bandwagon

Jun 25, 20122 mins
Cloud SecurityData and Information Security

I’m a big fan of bug bounty programs. I simply think it’s better to invite hackers to find your weaknesses and reward them financially than to bury your head in the sand at the suggestion your products have security holes. So I welcome news that PayPal is jumping on the bounty bandwagon.

PayPal CISO Michael Barrett announced the bug bounty in a blog post, saying:

I have the privilege of leading a world renowned security team but we realize that no company can do it all alone. Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have  implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.

Here’s how Barrett described the new process:

1. Researchers submit bug reports to us, via the same secure reporting process using PGP encryption that we had in place previously.

2. We categorize the report into one of four categories:

  • XSS (Cross Site Scripting),
  • CSRF (Cross Site Request Forgery),
  • SQL Injection or
  • Authentication Bypass

3. We will then determine the severity and priority of the problem and our developers will fix the issue and then release the fix into our production environment.

4. We then pay the researcher – via PayPal, of course – once the bug is fixed.

It used to be that when researchers found a vulnerability in a vendor’s products, the vendor would ignore the details and complain to the press about hackers putting their customers at risk by irresponsibly exposing flaws. Actually, it’s still that way for some companies. But in recent years we’ve seen more of a shift toward bug bounty programs.

PayPal deserves congratulations for taking this step in the right direction.