PayPal joins other well-known web companies – Facebook, Google, Mozilla, and others – that offer similar bounties.
“I’m pleased to announce that we have updated our original bug reporting process into a paid ‘bug bounty program”, wrote Michael Barrett, chief information security officer (CISO) at PayPal in a blog on Thursday. He said that PayPal is the first financial services firm to offer bug bounties.
“I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on internet-based services and therefore find more potential issues”, he explained.
The bug bounty program is restricted to four types of vulnerabilities: cross-site scripting, cross-site request forgery, SQL injection, and authentication bypass. PayPal will determine payment based on the “severity and priority of the problem”, Barrett said.
Once the developers have fixed the problem and released the fix to the production environment, the researcher will be paid using PayPal, “of course”, quipped the CISO.