Nowadays many large companies have started to employ bug bounty programs as a means of bolstering their web security. These have proven to be hugely popular amongst the security community as some of the awards given can be quite substantial.
It seems, though, that some companies are more selective than others though when it comes to issuing payments in return for vulnerability disclosures, as appears to be the case with Robert Kugler and PayPal. (Kugler must be wondering whether bug bounties are worth it).
Kugler, a 17 year old student, claims that he discovered a cross site scripting vulnerability on PayPal.com and that he sent his find to PayPal Inc in response to their bug bounty program.
Unfortunately, however, Kugler then claims that he was barred from receiving a payment even though that web page doesn’t seem to mention age as a barrier. It seems this was brought up, via email, after he made his disclosure though –
“To be eligible for the Bug Bounty Program, you *must not*:
… Be less than 18 years of age.If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments.”
Kugler has said that he has received rewards in the past from Mozilla – (see https://www.mozilla.org/security/announce/2012/mfsa2012-98.html and https://www.mozilla.org/security/announce/2013/mfsa2013-45.html) and that he is acknowledged as a security researcher for Microsoft (April 2013).
So is it fair that PayPal have knocked him back because of his age? I don’t think so myself but then thats their prerogative I guess.
Update: it seems that PayPal haven’t denied a bounty based on Kugler’s age after all – The Register are now reporting that –
“The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.”