Independent security researcher Rafay Baloch has been awarded $5,000 (3,900 EUR) by PayPal after identifying a remote code execution vulnerability on the company’s main domain, paypal.com.He has explained that the details of the flaw cannot be made public because PayPal hasn’t addressed the issue yet, despite the fact that it was reported to them over 2 months ago.
“That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however PayPal took more than 2 months to sort it out,” the expert wrote on his personal blog.
He has also received an additional $1,000 (800 EUR) for identifying a couple of cross-site scripting vulnerabilities that have already been addressed by the online payment processor.
The researcher has been offered a position as a security quality engineer, also known as Security Ninja, with the company.
“Regarding the offer, I am currently doing my Bachelors here in Pakistan. I will think about it when it's completed, After all, I still need to sharpen my skills and learn more,” the expert told me in an email.
For those who are not familiar with Rafay Baloch’s previous work, he has helped organizations such as Microsoft, ESET and eBay in addressing security issues that plagued their websites.
Update. The total amount awarded by PayPal to Rafay Baloch is $10,000 (8,000 EUR). The $5,000 (3,900 EUR) represented only the initial payment. More details on the expert's blog.