PayPal Denies Reward for Teenager After Finding Vulnerabilities

Robert Kruger, a 17-year-old German student discovered some vulnerabilities in PayPal and contends that the company has denied him a reward for finding vulnerability in its website. According to a news report from PCWorld, Kruger notified PayPal of the vulnerability on May 19, but because he was still under the age of 18 he was not eligible for the program. The PayPal bug bounty program based upon their terms and conditions, does not appear to have an age guideline. Other companies such as Google and Facebook have similar rewards programs. The programs by major companies are intended to create an incentive for researchers to privately report issues and allow vendors to release fixes before hackers will take advantage of the flaws. The teenager, Kugler, was also listed as one of the contributor in Microsoft security researchers in the month of April. Although PayPal does not list on how they will reward their bug researchers but they require that those reporting for bugs have a verified account. Kugler stated that he asked PayPal that any bounty be paid into his parent's account. Robert Kugler is one of the most popular teen age bug finder, after he received bounty from Mozilla worth $1,500 and another one for the Firefox browser's bug earning him $3,000. According to Kugler at a minimun, he would like PayPal to acknowledge his finding and send him some documentation that he can use in a job application, but as of press time he hasn't received anything. Kugler posted the vulnerability, a cross-site scripting flaw (XSS), on Full Disclosure section of Seclists.org, a forum for disclosing securit vulnerabilities. The XSS attack occurs when a script drawn from another Web site is allowed to run but should not. The type of flaw can be used to steal information or potentially cause other malicious code to run.