Jump to content
Guest Kovalski

PayPal to pay security researchers for reported vulnerabilities

Recommended Posts

Guest Kovalski

PayPal launches a paid bug-bounty program for responsible security researchers

IDG News Service - Payment services provider PayPal will reward security researchers who discover vulnerabilities in its website with money, if they report their findings to the company in a responsible manner.

"I'm pleased to announce that we have updated our original bug reporting process into a paid 'bug bounty' program," PayPal's Chief Information Security Officer Michael Barrett said in a blog post on Thursday.

Cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection (SQLi) and authentication bypass vulnerabilities will qualify for bounties, the amount of which will be decided by the PayPal security team on a case-by-case basis. Researchers need to have a verified PayPal account in order to receive the monetary rewards.

PayPal follows in the footsteps of companies like Google, Mozilla and Facebook that have implemented security reward programs for their online services during the last couple of years. "While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so," Barrett said.

The bug-bounty programs run by Google, Mozilla and Facebook have had positive results so far, Barrett said. "I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong -- it's clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.".

The new bug-bounty program will help PayPal reduce the number of vulnerabilities in its websites, but they won't disappear completely, Marius Gabriel Avram, a security engineer at U.K.-based security firm RandomStorm said via email.

In his spare time, Avram looks for vulnerabilities in Web services operated by Google, Facebook, Twitter, Microsoft, eBay, PayPal and other companies that allow security researchers to do so, as long as they report their findings privately and don't cause any damage. It's like a challenge that helps security researchers improve their skills and, in some cases, earn some extra money, Avram said.

Avram found and reported over 10 security issues in PayPal's main and mobile websites during the past two weeks. Some of them were of high severity, he said, adding that PayPal's staff responded every time.

Not every company can afford to run a bug-bounty program. However, there are big companies with significant profits like eBay, Amazon, Sony and others that could and should implement such programs, especially since some of them have experienced data breaches in the past, Avram said.

Some hackers -- the so-called black hats -- abuse the vulnerabilities they find for illegal purposes. Others disclose them on their personal blogs or other public websites in order to make a name for themselves.

Avram believes that it's this second kind of hacker that paid bug-bounty programs could attract. Like Google and Facebook, PayPal realized that asking such people to report the security problems they find without any incentive doesn't really work, he said.

Sursa

Link to comment
Share on other sites

Guest Kovalski
Da ma, companii mari din domeniul financiar platesc bani buni pentru asa ceva, pe cand altele...

daca in romania am indrazni sa raportam o vulnerabilitate la o banca, nu stiu de ce, dar presimt puscarie...

Link to comment
Share on other sites

Exact ps-axl. Cand gasim o vulnerabilitate, atunci vine legea:

Art. 42. - (1) Accesul, fãrã drept, la un sistem informatic constituie infractiune si se pedepseste cu închisoare de la 3 luni la 3 ani sau cu amendã.

Pe parcurs am invatat si eu daca se merita a fi white-hat, si am ajuns la concluzia ca: NU, nu se merita. Daca ai obtinut acces la un sistem, profita de ea in mod inteligent!

Eu raportasem vulnerabilitati in site-uri mari din Romania, n-am cerut bani, dar un f*tai de multumesc m-ar fi facut sa ma simt mai bine.

Doar doua vulnerabilitati raportate mi-au adus castig in Romania, site-urile avand administatori unguri.

L.E.: Stiu ca era off-topic, deoarece erau vorba de banci, dar cam asa sta treaba si acolo.

Edited by totti93
Link to comment
Share on other sites

Da ma, companii mari din domeniul financiar platesc bani buni pentru asa ceva, pe cand altele...

Am descoperit vulnerabilitati in multe site-uri precum IBM, Symantec(doua le-am raportat si mai am una), AT&T (au fost nesimtiti si nu m-au bagat in seama dupa ce i-am ajutat, tin sa mentionez ca nu le-am cerut bani), VMware. La toate aceste companii am avut acces la toti userii inregistrati de pe site-ul lor, practic ma puteam autentifica cu orice user vroiam, si nu au dat nimic.

Lista de mai sus e din afara, dar in romania am ajutat firme mari , multinationale, care m-au recompensat, cum au putut, pentru ca i-am ajutat sa isi repare vulnerabilitatile. Spre exemplu vodafone mi-a dat un laptop foarte scump, iar orange mi-a dat un iPhone 4S.

Totusi au fost cateva firme din afara care m-au rasplatit pentru ca i-am ajutat: Facebook de doua ori si Xilinx de vreo 4 ori, dintre toate firmele mentionate mai sus, in afara de facebook, aveam acces la orice cont din baza de date.

Concluzie: firmele romanesti au fost mult mai serioase decat cele din afara.

Toate cele bune,

Mah_on3

Edited by mah_one
Link to comment
Share on other sites

@totti93: Si totusi, daca ai bagat spre exemplu apostroful si ai gasit on vulnerabilitate de tip sql nu inseamna ca ai patruns in sistem, deci ai ce raporta deci nu vei fi bagat la bulau.

Aaaa, ca vrei sa le demonstrezi ca esti bun si ca poti face mai mult de atat asta-i alta discutie.

Link to comment
Share on other sites

@totti93: Si totusi, daca ai bagat spre exemplu apostroful si ai gasit on vulnerabilitate de tip sql nu inseamna ca ai patruns in sistem, deci ai ce raporta deci nu vei fi bagat la bulau.

Aaaa, ca vrei sa le demonstrezi ca esti bun si ca poti face mai mult de atat asta-i alta discutie.

Daca si totti mai face din astea eu imi dai outele si mile fac omleta, sincer sa fiu am trecut de ceva vreme de acest pas si am decis sa nu ma mai implic, nu o sa enumar ce si pe unde am facut ....insa ce o sa va zic sper sa conteze.

Daca cumva vreodata vreti sa castigati o paine din White Hat, faceti POC-uri si Scenarii, postati-le pe blogul/forumul personal...nu vrajeala "Security shit" si va garantezi ca in minim un an de zile veti fi bagat in seama, eu inainte sa folosesc backtrack faceam diferite articole cu scannere bazandu-ma doar de Microsoft Security Buletin, stiam ca nu sunt atat de multe persoane care fac update la un amarat de windows..poate din neglijenta sau nebagare de seama. Cu toate astea primeam diferite mailuri de la firme care nici macar habar nu aveam de ce imi cereau(ex: linux la un grad ridicat, php...etc), si pe toti ii refuzam, Ei practic nu citeau term of use...unde scriam foarte clar ca sunt white papere bazate pe niste vulnerabilitati raportate in microsoft sau CVE si rezolvate in vreun KB, si nu ofeream acel tool, postam doar parti ale codului sursa.

De curand...stand pe net am dat de un bloggeras care se ocupa de securitate, posteaza articole despre 0day-uri, a vazut omul ca ii merge si face doar pentru vB, joomla, wordpress, cand o sa-mi amintesc blogul o sa revin cu edit, nu cred ca e vreun update la cele 3 de mai sus care sa il opreasca sa mai gasesca tot felul de rahaturi, fii sigur ca ala e cautat, si nu de lege.

Eu nu cred ca va-ti straduit destul, bani se castiga si lucrand cinstit nu va faceti voi griji, asa cum zice popa "curvar prost" (prost curvar = un afemeiat fara femeie, pentru a nu se intelege diferit...) asa sunteti voi ca nu va descurcati.

Edit: Acesta este individul de care am precizat mai sus..am auzit multe lucruri despre el, iar asta e pagina lui http://hauntit.blogspot.ro/

Edited by me.mello
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...