PayPal opens up bug bounty program to minors

PayPal is opening up its bug bounty program to individuals aged 14 and older, a move intended to reward younger researchers who are technically ineligible to hold full-fledged PayPal accounts.

PayPal's program, which is a year old this month, only applied to those 18 years and older. Under the old rule, participants in the program were required to hold valid accounts, which excluded minors, said Gus Anagnos, PayPal's director of information security.

In May, 17-year-old Robert Kugler, a student in Germany, said he'd been denied a reward for finding a vulnerability. PayPal said the bug had already been found by two other researchers, which would have made Kugler ineligible for bounty.

In an apparent miscommunication, Kugler said he was initially told he was too young rather than the bug had already been discovered. Nonetheless, PayPal said it would look to bring younger people into its program, which pays upwards of US$10,000 for remote code execution bugs on its websites.

Those who are under 18 years old can receive a bug bounty payment through a PayPal student account, an arrangement where a minor can receive payments via their parent's account, Anagnos said.

Anagnos said other terms and conditions have been modified to make its program more transparent, such as clarifying which PayPal subsidiaries and partner sites qualify for the program.

PayPal pays much less for vulnerabilities on partner websites, which have a URL form of "www.paypal-__.com." A remote execution bug found on that kind of site garners only $1,500 rather than up to $10,000 on the company's main sites.

Like other bug bounty programs run by companies such as Microsoft and Google, PayPal will publicly recognize researchers on its website with a "Wall of Fame" for the top 10 researchers in a quarter. Another "honorable mention" page lists anyone who submitted a valid bug for the quarter.

Eusebiu Blindu, a testing consultant from Romania, was one of the researchers listed on the Wall of Fame for the first quarter of this year.

"I think Paypal is the best bug bounty program, and I am glad I participated in it from the first days of its launching," he wrote on his blog.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk