Payment services provider
PayPal will reward security researchers who discover vulnerabilities in
its website with money, if they report their findings to the company in
a responsible manner.
If you manage to find a security flaw in any of PayPal’s products, you may be entitled to a cash reward. "I'm pleased to announce that we have updated our original bug reporting process into a paid 'bug bounty' program," PayPal's Chief Information Security Officer Michael Barrett said in a blog post on Thursday. While Barrett disclosed vulnerability categories, he did not say how much cash the firm will be offering.
PayPal plans to categorize reported bugs into one of four categories:
- XSS (Cross Site Scripting),
- CSRF (Cross Site Request Forgery),
- SQL Injection or
- Authentication Bypass
Researchers need to have a verified PayPal account in order to receive the monetary rewards.
"I originally had
reservations about the idea of paying researchers for bug reports, but I
am happy to admit that the data has shown me to be wrong - it's clearly
an effective way to increase researchers' attention on Internet-based
services and therefore find more potential issues."
Marius Gabriel Avram, a security
engineer at U.K.-based security firm RandomStorm, looks for
vulnerabilities in Web services operated by Google, Facebook, Twitter,
Microsoft, eBay, PayPal and other companies that allow security
researchers to do so, as long as they report their findings privately
and don't cause any damage. It's like a challenge that helps security researchers improve their skills and, in some cases, earn some extra money, Avram said.
Avram found and reported over 10
security issues in PayPal's main and mobile websites during the past
two weeks. Some of them were of high severity, he said, adding that
PayPal's staff responded every time.
PayPal deserves congratulations for taking this step in the right direction.
PayPal deserves congratulations for taking this step in the right direction.
No comments:
Post a Comment