PayPal, one of the first companies to offer a bug-reporting program, announced on Thursday that it’s sweetening the deal with bounties.
Michael Barrett, PayPal’s chief information security officer, said in a blog posting that he was initially leery of the concept, but the positive experiences of internet behemoth brethren that pay bounties – Facebook, Google, Mozilla and Samsung – have changed his mind.
"I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong - it's clearly an effective way to increase researchers' attention on Internet-based services and therefore find more potential issues."
How sweet is the deal going to be for white-hat security researchers? Nobody knows, since Barrett didn’t offer PayPal’s bug pricing scheme.
But PayPal will assuredly take note of what companies are offering, as well as the fact that they’re expanding their programs’ initial scopes. To wit:
- In May, Google boosted its maximum reward from $3,133 to $20,000 and added a $10,000 payment for SQL injection bugs or for what it deems to be “significant” authentication bypass or data leak vulnerabilities.
- In 2010, Mozilla increased its payout to $3,000 for each eligible security bug. It also broadened the program’s scope to include not only Firefox and Thunderbird but also Firefox Mobile and any Mozilla services that rely on those products.
- Facebook pays at least $500 for security hole reports. Last summer, Facebook chief security officer Joe Sullivan reported that the company had paid out over $40,000 within the first three weeks of the company’s decision to pay bounties.
Using the same secure reporting process with PGP encryption that it previously used for unpaid reports, PayPal plans to categorize reported bugs into one of four categories:
- XSS (Cross Site Scripting),
- CSRF (Cross Site Request Forgery),
- SQL Injection or
- Authentication Bypass
And how is PayPal’s attitude about all this?
Of course, as Ducklin pointed out at the time, you can’t expect a company to pay for bugs if a researcher doesn’t give Facebook time to fix the bug before it’s publicly posted.
But yikes, Facebook got heavy-handed with somewhat threatening language:
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Does PayPal’s bounty program use such a heavy stick? Yes, but the tone’s a bit more muted:
To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all the guidelines [outlined in the policy] - we will not bring a private action or refer a matter for public inquiry.
In other words, PayPal says, in slightly less in-your-face language than Facebook, we won’t set our lawyers on you or ask the police to investigate you if you refrain from, say, DDoSing us or poking your nose into other users’ data without asking their OK first.
Well, fine. There are obviously quite a few lawyers hammering out wording for this kind of program.
And regardless of the legalese, it’s a positive thing when companies reward responsible researchers as opposed to punishing them.
Take, for example, security researcher Patrick Webster. Last fall, he alerted his investment fund company of a glaring security lapse.
They thanked him with a legal threat and notice that he just might be billed for the security fix.
Instead of displaying such a lack of gratitude, PayPal joined its peers (and accomplished a first in the world of financial services companies, its CISO believes) by acknowledging security researchers for their hard work and stepping up to recompense them for it.
Kudos. Let’s hope the trend continues to grow.
Fist of dollars image courtesy of Shutterstock.