Payment services provider PayPal will reward security researchers who discover vulnerabilities in its website with money, if they report their findings to the company in a responsible manner. "I'm pleased to announce that we have updated our original bug reporting process into a paid 'bug bounty' program," PayPal's Chief Information Security Officer Michael Barrett said in a
blog post on Thursday.
Cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection (SQLi) and authentication bypass vulnerabilities will qualify for bounties, the amount of which will be decided by the PayPal security team on a case-by-case basis. Researchers need to have a verified PayPal account in order to receive the monetary rewards.
PayPal follows in the footsteps of companies like Google, Mozilla and Facebook that have implemented security reward programs for their online services during the last couple of years. "While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so," Barrett said.
