PayPal Announced Paid “Bug Bounty” Program for Security Researchers
Giant in payment services provider
PayPal recently announced the launch of a new
paid bug bounty program where PayPal will reward security researchers who will discover vulnerabilities in its website with handsome amount of money. In the official
blog PayPal's Chief Information Security Officer Michael Barrett said-
"The security of our customers’ data is our number one priority" Its very obvious and clear that while enhancing more security PayPal took this step because we all know that PayPal is listed among those sites where cyber-criminals always kept their eyes.
If you are a security researcher, and you've discovered a site or product vulnerability, please forward your details to
sitesecurity@paypal.com. We also like to give you reminder that before PayPal-
Facebook,
Google & many other has already started this paid
bug bounty program.
-:PayPal Bug Bounty Program In Details:-
- PayPal security team will determine the bounty amount and all decisions are final.
- Bounty is awarded to the first person that discovers the previously unknown bug.
- The bug bounty program is subject to change or to cancellation at any point without notice.
- Payment is paid out through a verified PayPal account, once the bug is fixed.
- For all submissions, do not send personal information in your report and please use PayPal's PGP key to encrypt your email.
- Individuals from sanctioned countries are not allowed to participate in this program.
- eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program.
Vulnerabilities That Are in Scope:
- XSS
- CSRF/XSRF
- SQLi
- Authentication bypass
Note: While "Logout CSRF" is a well-acknowledged issue, there are other techniques like "cookie forcing" and "cookie bombardment" that can make it futile to defend against this attack. Also, PayPal's web sessions are relatively short lived and hence the Bug Bounty panel will not consider reports of the ability to log out users from PayPal as qualifying for the reward.
In Your Bug Submission Email, Please Include The Following:
- Your email address
- Your PayPal account (in order to receive the bounty)
- Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
- Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
- Steps to reproduce bug
Guidelines for Responsible Disclosure
- Share the security issue with us before making it public on message boards, mailing lists, and other forums.
- Allow us reasonable time to respond to the issue before disclosing it publicly.
- Provide full details of the security issue.
Terms for Participation :- As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose. Submitter represents and warrants that the Submission is original to the Submitter and Submitter owns all rights, title and interest in and to the Submission. Submitter waives all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Proposal, so long as eBay complies with the terms of participation stated herein.
For additional information click
Here
Many of you are right, I am talking about 'Dr41DeY' because he is the guy who found vulnerability in the official website of Skype Shop and National Geographic Channel Germany (Nat Geo). Both Nat Geo and Skype have non persistent cross site scripting vulnerability also known as XSS vulnerability in their website. We have already informed this issue to concerning authority and webmaster to avoid misfortune. As expected, while writing this Skype have taken this issue seriously and fixed their loopholes immediately. Still for proof- above I have shared the screenshots with our readers, as evidence of the XSS hole. But unlike Skype Shop, Nat Geo yet not responded, so the vulnerability still exist on their portal. Hopefully they will take appropriate steps with out doing more delay. For updates in this story and also other hot cyber issues, just stay tuned with VOGH. Before concluding, I would like to remind you that- in 2012 an Indian hacker named Akshay has found XSS holes in the official website of National Geographic. Again after a year, Dr41DeY found another Nat GEO site vulnerable to XSS, that definitely arises a doubt about the security concern of one of the world's leading satellite television channel featuring documentaries with factual content involving nature, science, culture, and history, plus some reality and pseudo-scientific entertainment programming. 
