23 June 2012

Paypal Announces Bug Bounty Programme

ONLINE PAYMENT SERVICE Paypal will be offering bounties to security researchers for disclosing vulnerabilities in its services.

Paypal will be joining Google, Mozilla and HP by announcing that it will hand out cash to security researchers that decide to disclose vulnerabilities to Paypal rather than selling them to the highest bidder.


Michael Barrett, chief information security officer at Paypal said that the firm will be offering payments for vulnerabilities classed as cross site scripting attacks, cross site request forgeries, SQL injection or authentication bypass vulnerabilities.

Barrett admitted that initially he wasn't too keen on the idea of paying researchers, saying, "I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong - it's clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues."

While Barrett disclosed vulnerability categories, he did not say how much cash the firm will be offering. Companies such as Google and HP often try to play up their bug bounty programmes as giving something back to the security community, but in truth it is a relatively cheap way for the firms to tap into talent that would otherwise cost them tens of thousands to hire.

Paypal's bug bounty programme has been put into practice.

AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date