Under 18s Disqualified From Receiving PayPal Bug Bounties? [Updated]

Nowadays many large companies have started to employ bug bounty programs as a means of bolstering their web security. These have proven to be hugely popular amongst the security community as some of the awards given can be quite substantial.

It seems, though, that some companies are more selective than others though when it comes to issuing payments in return for vulnerability disclosures, as appears to be the case with Robert Kugler and PayPal. (Kugler must be wondering whether bug bounties are worth it).


Kugler, a 17 year old student, claims that he discovered a cross site scripting vulnerability on PayPal.com and that he sent his find to PayPal Inc in response to their bug bounty program.

Unfortunately, however, Kugler then claims that he was barred from receiving a payment even though that web page doesn’t seem to mention age as a barrier. It seems this was brought up, via email, after he made his disclosure though –

“To be eligible for the Bug Bounty Program, you *must not*:
… Be less than 18 years of age.If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments.”
via zer0byte.com

Kugler has said that he has received rewards in the past from Mozilla – (see https://www.mozilla.org/security/announce/2012/mfsa2012-98.html and https://www.mozilla.org/security/announce/2013/mfsa2013-45.html) and that he is acknowledged as a security researcher for Microsoft (April 2013).

So is it fair that PayPal have knocked him back because of his age? I don’t think so myself but then thats their prerogative I guess.

Update: it seems that PayPal haven’t denied a bounty based on Kugler’s age after all – The Register are now reporting that –

“The payments processing firm said that while it had denied the 17-year-old a reward, it was because another researcher had already reported the flaw.”

photo: ballanross

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind