bump On 29.05.2013, at 16:11, Andre Helwig wrote: > Best solution, don't report the bugs. > Use the bugs to get your money.. and publish them afterwards :D > > > On 29.05.13 16:04, James Condron wrote: >> Hrm, >> >> I read it that the issue was still the age but that the previous disclosure >> was another reason they had found. Its sneaky and poor but I didn't read it >> as a change in reason; just an additional thing they found. It may even be >> true. >> >> The fact is they handled this poorly but whether they're lying about another >> person finding it or not had they been cleverly dishonest they would have >> gone with that in the first place. >> >> They ought really pay, though. >> >> On 29 May 2013, at 14:51, Jeffrey Walton <noloader@xxxxxxxxx> wrote: >> >>> Hi James, >>> >>>> I guess the email from ebay sorta makes it all moot anyway. >>> Its interesting how the reason code changed. On May 24 the reason was >>> Kugler was too young; and then on May 29 the reason was the flaw was >>> previously reported. >>> >>> It sounds like PayPal is lying to bring this to an end; and they've >>> lost more credibility. >>> >>> Jeff >>> >>> On Wed, May 29, 2013 at 9:22 AM, James Condron >>> <james@xxxxxxxxxxxxxxxxxxxx> wrote: >>>> Ah, but then don't forget that in a contract (which this most certainly is >>>> not- but the parallels are there) ambiguity benefits the party which >>>> didn't draft the document. >>>> >>>> If its reasonable to infer a payment, and reasonable to fail to infer an >>>> age range, I think its reasonable to get paid for it. >>>> >>>> I guess the email from ebay sorta makes it all moot anyway. >>>> >>>> On 29 May 2013, at 13:33, Julius Kivimäki <julius.kivimaki@xxxxxxxxx> >>>> wrote: >>>> >>>>> Well, they don't exactly state that they're going to pay you either. >>>>> >>>>> >>>>> 2013/5/29 Źmicier Januszkiewicz <gauri@xxxxxx> >>>>> >>>>>> Hmm, interesting. >>>>>> >>>>>> For some reason I fail to find the mentioned "age requirements" at the >>>>>> official bug bounty page located at >>>>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues >>>>>> Am I looking in the wrong direction? Can someone please point to where >>>>>> this is written? >>>>>> >>>>>> With kind regards, >>>>>> Z. >>>>>> >>>>>> >>>>>> 2013/5/29 Robert Kugler <robert.kugler10@xxxxxxxxx> >>>>>> >>>>>>> >>>>>>> >>>>>>> 2013/5/29 Jeffrey Walton <noloader@xxxxxxxxx> >>>>>>> >>>>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler >>>>>>>> <robert.kugler10@xxxxxxxxx> wrote: >>>>>>>>> Hello all! >>>>>>>>> >>>>>>>>> I'm Robert Kugler a 17 years old German student who's interested in >>>>>>>> securing >>>>>>>>> computer systems. >>>>>>>>> >>>>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site >>>>>>>>> Scripting vulnerability! >>>>>>>>> PayPal Inc. is running a bug bounty program for professional security >>>>>>>>> researchers. >>>>>>>>> >>>>>>>>> ... >>>>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment >>>>>>>>> because of being 17 years old... >>>>>>>>> >>>>>>>>> ... >>>>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but >>>>>>>> it’s not >>>>>>>>> the best idea when you're interested in motivated security >>>>>>>> researchers... >>>>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for >>>>>>>> the bugs you discovered with their products. >>>>>>>> >>>>>>>> PCWorld and MSN picked up the story: >>>>>>>> >>>>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html >>>>>>>> and >>>>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code >>>>>>>> . >>>>>>>> It is now news worthy to Wikipedia, where it will live forever under >>>>>>>> Criticisms (unfortunately, it appears PayPal does a lot of >>>>>>>> questionable things so its just one of a long list). >>>>>>>> >>>>>>>> Jeff >>>>>>>> >>>>>>> Today I received an email from PayPal Site Security: >>>>>>> >>>>>>> "Hi Robert, >>>>>>> >>>>>>> We appreciate your research efforts and we are sorry that our >>>>>>> age requirements restrict you from participating in our Bug Bounty >>>>>>> Program. >>>>>>> With regards to your specific bug submission, we should have also >>>>>>> mentioned >>>>>>> that the vulnerability you submitted was previously reported by another >>>>>>> researcher and we are already actively fixing the issue. We hope that >>>>>>> you >>>>>>> understand that bugs that have previously been reported to us are not >>>>>>> eligible for payment as we must honor the original researcher that >>>>>>> provided >>>>>>> the vulnerability. >>>>>>> >>>>>>> I would also mention that in general, PayPal has been a consistent >>>>>>> supporter of what is known as “responsible disclosure”. That is, >>>>>>> ensuring >>>>>>> that a company has a reasonable amount of time to fix a bug from >>>>>>> notification to public disclosure. This allows the company to fix the >>>>>>> bug, >>>>>>> so that criminals cannot use that knowledge to exploit it, but still >>>>>>> gives >>>>>>> the researchers the ability to draw attention to their skills and >>>>>>> experience. When researchers go down the “full disclosure” path, it >>>>>>> then >>>>>>> puts us in a race with criminals who may successfully use the >>>>>>> vulnerability >>>>>>> you found to victimize our customers. We do not support the full >>>>>>> disclosure methodology, precisely because it puts real people at >>>>>>> unnecessary risk. We hope you keep that in mind when doing future >>>>>>> research. >>>>>>> >>>>>>> We acknowledge that PayPal can do more to recognize younger security >>>>>>> researchers around the world. As a first step, we would like you to be >>>>>>> the >>>>>>> first security researcher in the history of our program to receive an >>>>>>> official "Letter of Recognition" from our Chief Information Security >>>>>>> Officer Michael Barrett (attached, will follow up with a signed copy >>>>>>> tomorrow). We truly appreciate your contribution to helping keep PayPal >>>>>>> secure for our customers and we will continue to explore other ways >>>>>>> that we >>>>>>> can we provide alternate recognition for younger researchers. >>>>>>> >>>>>>> We'd welcome the chance to explain this all to you first hand over the >>>>>>> phone, please email us at this address with a number and good time to >>>>>>> reach >>>>>>> you and we’d be happy to follow-up. >>>>>>> >>>>>>> Thank you, >>>>>>> PayPal Site Security" >>>>>>> >>>>>>> It's still curious that they only mentioned the first researcher who >>>>>>> previously found the bug after all the media attention...Nevertheless I >>>>>>> appreciate their intentions to acknowledge also younger security >>>>>>> researchers, it's a step in the right direction!! >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> Robert Kugler >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > SysEleven GmbH > Umspannwerk - Aufgang C > Ohlauer Straße 43 > 10999 Berlin > > Tel +49 30 233 2012 0 > Fax +49 30 616 755 50 > > http://www.syseleven.de > http://www.facebook.com/SysEleven > > Firmensitz: Berlin > Registergericht: AG Berlin Charlottenburg, HRB 108571 B > Geschäftsführer: Marc Korthaus, Thomas Lohner > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/