Payment giant says teen was too young and the bug had already been found
PayPal has given two reasons why a 17-year-old was not rewarded for finding a potentially serious vulnerability on the payment platform’s website: he was not old enough and the flaw had already been found.
German student Robert Kugler decided to disclose the cross-site scripting (XSS) vulnerability on Seclists.Org after PayPal turned him away.
The eBay-owned company came in for some stick on Reddit, where one user noted Google and Mozilla pay under-age participants if they get an adult’s permission. Given the lack of security talent available globally, companies should reward youngsters for their findings, according to security experts.
But PayPal has defended its actions. “While we appreciate Mr. Kugler’s contribution to PayPal’s Bug Bounty Program, we can confirm that the cross-scripting vulnerability he identified was already discovered by another security researcher and Mr. Kugler is ineligible to participate in the program since he is under 18 years old,” a spokesperson said, in an emailed statement sent to TechWeekEurope.
“We are working quickly to fix the cross-scripting issue, and we have not found any evidence at this time that our customers’ information has been compromised by this vulnerability.
“We recognise and appreciate Mr. Kugler’s efforts, and we look forward to continue working with the security community to receive bug submissions that are responsibly disclosed.”
What do you know about Internet security? Find out with our quiz!