Payment services provider PayPal will reward security researchers who discover vulnerabilities in its website with money, if they report their findings to the company in a responsible manner.
If you manage to find a security flaw in any of PayPal’s products, you may be entitled to a cash reward. "I'm pleased to announce that we have updated our original bug reporting process into a paid 'bug bounty' program," PayPal's Chief Information Security Officer Michael Barrett said in a blog post on Thursday. While Barrett disclosed vulnerability categories, he did not say how much cash the firm will be offering.
PayPal plans to categorize reported bugs into one of four categories:
- XSS (Cross Site Scripting),
- CSRF (Cross Site Request Forgery),
- SQL Injection or
- Authentication Bypass
- Researchers need to have a verified PayPal account in order to receive the monetary rewards.
"I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong - it's clearly an effective way to increase researchers' attention on Internet-based services and therefore find more potential issues."
Marius Gabriel Avram, a security engineer at U.K.-based security firm RandomStorm, looks for vulnerabilities in Web services operated by Google, Facebook, Twitter, Microsoft, eBay, PayPal and other companies that allow security researchers to do so, as long as they report their findings privately and don't cause any damage. It's like a challenge that helps security researchers improve their skills and, in some cases, earn some extra money, Avram said.
Avram found and reported over 10 security issues in PayPal's main and mobile websites during the past two weeks. Some of them were of high severity, he said, adding that PayPal's staff responded every time.
PayPal deserves congratulations for taking this step in the right direction.