A German student claims that PayPal has denied him a reward for finding a vulnerability on its website because he is too young.
Seventeen-year-old Robert Kugler said he notified PayPal of the vulnerability on May 19 and was informed by email that, because he is under 18, he did not qualify for the site’s Bug Bounty Program. In the guidelines outlined on PayPal’s website regarding the Bug Bounty Program, there doesn’t seem to be an age restriction.
Kugler will turn 18 next March.
Many companies such as Google and Facebook have reward programs. The programs are intended to create an incentive for website users to report problems and create fixes before hackers can take advantage.
Google pays from $100 up to $20,000 depending on the severity of the issue and Facebook pays a minimum of $500 for qualifying bugs. Neither company has age restrictions listed on their websites.
Kugler said he received rewards for finding vulnerabilities in the past. Mozilla paid him $1,500 for finding a problem with its Firefox browser last year and $3,000 for identifying another bug earlier this year, according to PC World world.
PayPal outlines its policy on its website under the heading For Professional Researchers: Bug Bounty Program. According to the policy:
Our team of dedicated security professionals work vigilantly to keep customer information secure. We recognize the important role that security researchers and our user community play in keeping PayPal and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.
-PayPal security team will determine the bounty amount and all decisions are final.
-Bounty is awarded to the first person that discovers the previously unknown bug.
-The bug bounty program is subject to change or to cancellation at any point without notice.
-The bug bounty is valid for all PayPal web sites only.
-Payment is paid out through a verified PayPal account, once the bug is fixed.
PayPal offered this statement on the matter to TechWeekEurope:
“While we appreciate Mr. Kugler’s contribution to PayPal’s Bug Bounty Program, we can confirm that the cross-scripting vulnerability he identified was already discovered by another security researcher and Mr. Kugler is ineligible to participate in the program since he is under 18 years old.”