Paypal.com, a online money transfer, send and receive payments online company advertises its Paypal “Bug Bounty” program. Security researchers will get reward from Paypal upon discovering website vulnerabilities in it and reporting their finding to the company in a responsible manner with the Paypal.com Bug Bounty Program. In working as a website security researcher, you get to find flaws, exploits, and vulnerabilites in a company website, which in turn helps the company itself prevent loss of thousands or even millions of money due to lack of security.
Paypal.com is an e-commerce business allowing online money transfers and payments to be made using the internet. You can pay online and buy digital or real goods using Paypal. The online money transfers serves as electronic alternatives in paying with traditional paper methods, like checks and money orders.
While the program is perfect for website penetration testers or pen testers that have a background in testing security of websites. This may also provide as an exercise in training skills in doing web applications pen testing.
Computer security is both important for consumers as well as business organizations. Companies are more damaged in case an exploit or a vulnerability exists in their web applications. The Paypal Bug Bounty Program offers a win-win scenario for both the company and the security researchers.
Paypal.com Bug Bounty Program for Security Researchers
In a recent blog by Michael Barrett, Chief Information Security Officer of Paypal, he stated that if you manage to find a security flaw in any of the Paypal products, then you may be entitled to a cash reward. Paypal “bug bounty” program will pay researchers for bug reports. While Barrett did not stated how much cash the company will be offering, he did disclosed some vulnerability categories.
Paypal categorizes the vulnerability report into one of the four categories:
- XSS (Cross Site Scripting)
- CSRF (Cross Site Request Forgery)
- SQL Injection
- Authentication Bypass
Cross-site scripting or XSS is security vulnerability found in Website applications, that enables an attacker to inject client-side script into the web pages. It allows the attackers to bypass acess controls.
CSRF or the Cross Site Request Forgery is a malicious exploit of websites which unauthorized commands are transmitted from a user that the website trusts. It exploits the trust that a site has in a user browser.
SQL Injection is method used to attack databases through a website. It is done by including portions of SQL statements in a web form which attempts to exploit a security vulnerability in a website. The vulnerability happens as the string of literal escape characters are incorrectly filtered and in turn process the embedded SQL statements in the malicious code.
Paypal will then determine the priority of the bug report and their developers will fix the issue, and release the fix in their production environment.
Once the bug gets fixed, Paypal will pay the researcher.
Details of the Paypal Bug Bounty Program can be seen here.
Paypal is one of the most widely used financial website where you can use to cover your payments online. Send money and payment online using Paypal.com. Having a bug reward program in Paypal, will certainly help their company in finding flaws, exploits, and vulnerabilities in their site.