PayPal to offer a bounty for reported security flaws
PayPal is the latest to join a small but growing list of companies to offer money to external security researchers who report security flaws that they uncover and report. Other companies that currently offer a bounty include Google, Adobe, Mozilla, Facebook and Samsung, though PayPal is possibly the first financial service to do so.
Michael Barrett, PayPal's chief information security officer, acknowledged initially having reservations about "paying researchers for bug reports." However, he conceded that this has been proven to be "an effective way to increase researchers' attention on Internet-based services and therefore find more potential issues."
According to Barrett, the submitted bug reports are categorized into four categories: XSS (cross-site scripting), CSRF (cross-site request forgery), SQL injection and authentication bypass. The scheme is an expansion of the existing bug-reporting process that includes encrypting the submission email with PayPal's PGP key for security purposes.
Researchers will be paid once a vulnerability has been verified and the bug rectified. PayPal will determine the bounty amount and its decision is final--with all payments will be disbursed via PayPal of course. Additional details of the program can be found here.