PayPal Rewards Researcher with $5,000 for Finding Remote Code Execution Flaw

Security expert Rafay Baloch has also been offered a position with the company

By Eduard Kovacs on December 12th, 2012 12:09 GMT

Independent security researcher Rafay Baloch has been awarded $5,000 (3,900 EUR) by PayPal after identifying a remote code execution vulnerability on the company’s main domain, paypal.com.

He has explained that the details of the flaw cannot be made public because PayPal hasn’t addressed the issue yet, despite the fact that it was reported to them over 2 months ago.

“That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however PayPal took more than 2 months to sort it out,” the expert wrote on his personal blog.

He has also received an additional $1,000 (800 EUR) for identifying a couple of cross-site scripting vulnerabilities that have already been addressed by the online payment processor.

The researcher has been offered a position as a security quality engineer, also known as Security Ninja, with the company.

“Regarding the offer, I am currently doing my Bachelors here in Pakistan. I will think about it when it's completed, After all, I still need to sharpen my skills and learn more,” the expert told me in an email.

For those who are not familiar with Rafay Baloch’s previous work, he has helped organizations such as Microsoft, ESET and eBay in addressing security issues that plagued their websites.

Update. The total amount awarded by PayPal to Rafay Baloch is $10,000 (8,000 EUR). The $5,000 (3,900 EUR) represented only the initial payment. More details on the expert's blog
Researcher rewarded by PayPal for finding remote code execution vulnerability
   Researcher rewarded by PayPal for finding remote code execution vulnerability
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

1 Comment