In an effort to keep PayPal the safe and secure online payment company, we are pleased to announce the launch of a bug bounty program! Our official announcement is here and the the official details of the program can be found here - (https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=security/reporting_security_issues).
PayPal believes in proactively securing our site because we value our customer's privacy and the protection of their financial information.
Like other security programs, we have guidelines that we expect the security researchers to follow:
- Please do not disclose the issue to the general public regarding your findings; else, we will not pay you.
- Do not bring down our site while doing your security research.
- And definitely do not send us sensitive information in your findings.
- Now, do allow us reasonable time to research your claim(s). This process may take some time so please be patient.
We know that there are many vulnerabilities out in the application security world. For now, our bug bounty program will only accept the following types of bugs: XSS, CSRF/XSRF, SQLi and Authentication By-pass. However, if you do find an issue that you think we should really know about, submit it to us anyways and we will look into it. The scope of the program is for bugs found on our main domain – www.paypal.com. We will expand the program when we deem it to be appropriate.
We are introducing a bounty program - similar to what others out there have done – because we see a long–term benefit to the company when we rely on the larger security community to help us protect our site.
We welcome your feedback on our bug bounty program and we look forward to your vulnerability bug submissions!
Nam Wu