German student Robert Kugler, 17, says he found a bug on PayPal's site.
Being a good netizen, he responsibly disclosed the bug by contributing it to PayPal's Bug Bounty Program.
PayPal's response was twofold: First, somebody else already found the cross-site scripting (XSS) flaw, the company said.
Secondly, 'thanks, but no thanks, kiddo - you would have been too young to participate anyway'.
PayPal, did you irk a budding security researcher?
It certainly seems so, as Kugler's next step was to do what is universally accepted in the security industry as irresponsible - he publicly disclosed the bug.
Kugler's remark, from his May 24 full disclosure posting:
"I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers ..."
PayPal emailed this statement in defense of its actions to TechWeek Europe:
"While we appreciate Mr. Kugler’s contribution to PayPal’s Bug Bounty Program, we can confirm that the cross-scripting vulnerability he identified was already discovered by another security researcher and Mr. Kugler is ineligible to participate in the program since he is under 18 years old."
The mischief that can be done with XSS flaws is exemplified in myriad ways, including Twitter getting exploited over its " onMouseOver" vulnerability and Yahoo accounts getting hijacked via a flaw in the company’s YDN blog page.
Kugler said he notified PayPal of the vulnerability on May 19 but was told that because he's under the age of 18, he's ineligible for the Bug Bounty Program. He turns 18 in March 2014.
One problem: in spite of PayPal's having cited an age guideline, no such age limit is apparent on its Bug Bounty Program site.
Unsurprisingly, PayPal is taking a licking on Reddit over the perceived faux pas.
Redditor "x9k" notes, for example, that both Google and Mozilla pay underage bug finders with the go-ahead from an adult.
x9k goes on to post the following incidents concerning security researchers, one of whom, at least, is far younger than Mr. Kugler:
- Mozilla paid a 12-year-old boy $3,000 for a flaw in the memory of the Firefox browser.
- Teenager "Pinkie Pie" received a $60,000 bounty for finding a flaw in Google's Chrome browser.
- Fifteen-year-old Norwegian Cim Stordal, who made the Google Security Hall of Fame, was credited with disclosing an XSS issue to Apple, was thanked by Microsoft officials for disclosing a security vulnerability, and received a "White Hat" Visa card from Facebook worth $500 credit.
At any rate, PayPal said in its statement that it's working to fix the XSS issue, which hasn't yet been exploited:
“We are working quickly to fix the cross-scripting issue, and we have not found any evidence at this time that our customers’ information has been compromised by this vulnerability."
Was PayPal right to not pay Kugler?
On the basis that others found the bug first, declining to pay him is defensible, regardless of his age.
PayPal subsequently sent me a statement to that effect:
"In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so it would not have been eligible for payment, regardless of age, as we must honor the original researcher that provided the vulnerability."
But I think not paying him on the basis that Kugler isn't 18 is utterly feeble. Yes, of course companies like PayPal should pay security researchers who find bugs, regardless of their age.
Were Kugler the first to find the flaw, he should have gotten paid, end of story.
PayPal is eating a bit of humble pie over this one, looking at ways to better encourage young security researchers in the wake of the bad publicity it's getting over dissing Kugler.
To wit, it's going to send him a letter (hopefully, a respectful and apologetic one). From PayPal's statement:
"We appreciate the security researcher's efforts and this situation illustrates that PayPal can do more to recognize younger security researchers around the world. As a first step, we are sending an official letter of recognition for the researcher's contribution and we are exploring other ways to recognize younger security researchers when they do discover a vulnerability and responsibly disclose that discovery."
OK. As a first step, a letter is, likely, better than nothing.
But I don't understand why PayPal has to explore "other ways to recognize younger security researchers" when they discover and responsibly disclose a vulnerability.
The company already has a way to recognize bug finders. That way is cash. Why should age play a part in rewarding a bounty?
And on the subject of public disclosure, should Kruger have publicly disclosed the bug, out of spite?
But hell hath no fury like a security researcher scorned.