PayPal joins the ranks of companies such as Mozilla and Google by launching a bug bounty program that compensates security researchers who report vulnerabilities which might affect the online payment service and its customers.
“Today I’m pleased to announce that we have updated our original bug reporting process into a paid ‘bug bounty’ program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive,” PayPal’s Chief Information Security Officer Michael Barrett explained
“I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.”
So, how does the bug bounty program
The process is fairly simple. The researcher submits his findings to firstname.lastname@example.org
by using the PGP public key that’s available here
Then, PayPal’s own security team determines the severity of the issue and assigns it a priority. The development team takes over and addresses the issue.
Once the bug is fixed, the expert is paid via a verified PayPal account.
The vulnerabilities that researchers can report are split into four categories: cross-site scripting (XSS), cross-site request forgery (CSRF), SQL Injection, and authentication bypass.
“While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so. It’s yet another example of the innovation that PayPal is bringing to shake up the industry as the world moves more and more payments online,” Barrett concluded.
We applaud PayPal’s decision to reward security experts because this decision will not only make the payment platform safer, but it will also encourage the responsible disclosure of vulnerabilities.