Forgot your password?
typodupeerror
Bug Security

PayPal Reviewing Qualifying Age For Vulnerability Rewards 95

Posted by Unknown Lamer
from the break-it-before-you-can-use-it dept.
itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."
This discussion has been archived. No new comments can be posted.

PayPal Reviewing Qualifying Age For Vulnerability Rewards

Comments Filter:
  • That should sidestep all the legal complications.

    • That should sidestep all the legal complications.

      Or, they could do what child-oriented contests and websites have done since time unknown:

      Kids! Get your parents to submit written permission and you too can take part in whatever the hell it is we're doing!

    • it was promised as a cash reward, don't force him to spend it on university...put it in escrow and cut him a check when he turns 18 if there is an age issue

    • by Guppy (12314) on Wednesday May 29, 2013 @12:58PM (#43851753)

      And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".

  • by HalAtWork (926717) on Wednesday May 29, 2013 @11:59AM (#43850929)
    It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.
    • by idontgno (624372) on Wednesday May 29, 2013 @12:04PM (#43851007) Journal

      If anything, it's a learning experience.

      Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.

      (Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)

    • There may be some sort of 'ability to enter into legally binding contracts' thing going on. But seriously just hold the payment till he turns 18. Happy birthday kid!

      People make things so hard for themselves sometimes.

    • It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.

      Yeah, he learned that he should never report a vulnerability. At best, you get nothing for your trouble, at worst you get the FBI breaking down your door and you get Aaron Swartz'd by some overzealous DA.

    • by TheCarp (96830) <sjc@carpane[ ]et ['t.n' in gap]> on Wednesday May 29, 2013 @12:12PM (#43851147) Homepage

      There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.

      Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

      Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.

      In the end, I bet the answer has three letters: CYA:

      "What are the implications of allowing people under 18 to submit bugs?"
      "It depends on......."
      "Ok sorry I asked; no submissions from people under 18."

      • by noh8rz10 (2716597)

        If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

        let me answer your question with a blanket YES - anybody can sue anybody for anything, for any claim. then it becomes a probability game of their odds of winning, the potential cost if you lose, and the cost of defending, even if you were to win. throw in some unquantifiables such as PR reputational costs, etc.

        on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good chance of seeing some $$. So it's all a rent-seeking game of thuggery and extortion. welcome to t

        • by TheCarp (96830)

          > on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good
          > chance of seeing some $$

          Well no, its if they believe there is a good chance, which is different from whether there is, but also, whether there is depends on what court in what country. My point is, this looks pretty clearly like it was CYA from the begining and likely something they didn't think through since it was likely viewed as more trouble than its worth.

          • by noh8rz10 (2716597)
            I don't think you know what CYA means... it means think in advance to minimize problems later! Sure it backfired here but there are probably hundreds of cases in which children probably as young as 11 would have sought rewards even though it would be violating child labor laws worldwide. is this what you want, for Paypal to engage child labor to search for bugs?
            • by TheCarp (96830)

              I don't consider that child labor so no. However, if you do, then yes, that's exactly what I would want; regardless of the label you put on it.

              • by noh8rz10 (2716597)
                obviously you do not have children. if you ever do you will see what I mean... trust me grasshopper...
                • by TheCarp (96830)

                  obviously the hormonal impact of having children has clouded your ability to understand what child labor actually means and why it is generally banned. If you ever do get beyond that you will see what I mean, trust me.

      • by Khyber (864651)

        ""What are the implications of allowing people under 18 to submit bugs?""

        If you won't pay them as promised, someone else will.

        Mr. Kugler should be checking his paypal account for the tidy sum I just tossed his way.

        I hope PayPal is happy, because now I know how deep this rabbit hole goes, and it's a SEVERE PCI-DSS violation, which I shall be reporting, or exploiting, I'm not sure of which, yet.

        Either way, there's about to be a HUGE shitstorm for paypal, and this will likely end up having them fully-regulated

      • by c (8461)

        Does paying a minor, even for such a voluntary action, require parental approval?

        According to the terms of the program, yes.

        "Payment is paid out through a verified PayPal account, once the bug is fixed." [paypal.com]

        A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.

        • by TheCarp (96830)

          That is kind of tangential to the point though. Yes, those are the terms, but, what the terms are doesn't address what they can be or why they are the way they are. I meant in more general terms, can you legally pay a minor without permission from their parent? Certainly, I imagine there are places and situations where you can, unambiguously and legally do so, but its not hard at all to imagine places and situations where you cannot or where whether you can is ambiguous.

          I think this really boils down to a b

      • Good analysis.

        If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?

        Just to strip away the euphemisms here for clarity - Paypal likely isn't afraid of paying the youngster for good work - it's afraid of what government thugs might do to them if they do.

        I'd rather live in the world where a youth can be rewarded for diligent, intelligent work.

      • by steelfood (895457)

        It's all about lawsuits. Laws cannot be written with every specific case in mind (and probably should not). The very purpose of judges (and juries) is to determine the application of law in each specific case.

        The problem (in this case) is neither the judges nor the lawmakers. It's the lawyers, and the sue-happy culture. A large company's primary goal operationally is to avoid lawsuits. It's not to make money. It's not to create products. it's the avoid lawsuits. That should tell you everything about the cul

      • There is only one reason to restrict it...legal CYA.

        "PayPal security is sooo bad, even a six years old can break it. "

        That would be another reason for placing an age limit on people who submit bugs, possible embarrassment.

    • Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

      • Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).

        Indeed; in the USA, that age is generally 16 (although exceptions do apply for work permit holders and farm kids)

        • by ganjadude (952775)
          yet you can be 14 and work at a mcdonalds, at least in NY
          • by Khyber (864651)

            With highly restricted hours, and if McDonald's isn't following that restriction, they're about to get fucked, royally. Won't matter if it's an independent franchise or not.

          • yet you can be 14 and work at a mcdonalds, at least in NY

            I figured as much; hence my use of the term, "generally."

            In Missouri, employing anyone under the age of 16 requires a valid work permit (exception made for farm hands).

            • by ganjadude (952775)
              I forgot to mention that you do need a work permit, 14-15 are restricted to some jobs (mcdonalds) and can only work a total of 20 hours and no more than 3 hours on a school day and not past 7 PM (things may have changed in the past 15 years but ..woah damn im old) 16-17 can work 32 hours or something and no more than 4 hours on a school day and not after 10 PM
    • Really it seems like this is a way to force younger people into criminal hacking. Hey, I found a bug on Paypal, I could do the responsible thing, and turn it in and not get paid, or I could exploit it and get paid even better. As if I needed anymore reason to hate Paypal.

  • Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.

  • It seems obvious to me, but if Robert Kugler is too young to receive the award, then arrange to make the payment to a parent or guardian. If somebody else discovered the vulnerability first, then again, obviously, that should have been stated in the initial contact.

    • by bmo (77928)

      This all assumes that there is some sort of legal restriction on giving money for things like this.

      There isn't.

      --
      BMO

    • by g0bshiTe (596213) on Wednesday May 29, 2013 @12:09PM (#43851095)
      He did ask that payment be sent to his parents account, they denied it.
    • by Culture20 (968837)
      It's not about the money, it's about the signing over of rights.
    • by Joce640k (829181)

      It seems obvious to me, but if Robert Kugler is too young to receive the award

      Is there an age restriction on owning money?

      I'll try to remember that the next time I see girl scouts selling cookies.

      And I'll notify the authorities immediately if I see any kids mowing the neighbors lawn. It's my moral duty.

      • by Khyber (864651)

        "Is there an age restriction on owning money?"

        Why yes, there is, especially if something has been found to be in violation of child labor laws.

        But, this isn't the matter.

  • To be fair I can see where paypal is coming from, trying to cover their rears in case of some problems with the law when it comes to paying minors a lump sum, however if Kugler had found the bug he should've been awarded the money. If it wasn't stated in their fine print they have no choice, in my opinion. (That being said, you need to be eighteen in order to even have a paypal account, so it should render the point null).
  • by CanHasDIY (1672858) on Wednesday May 29, 2013 @12:30PM (#43851401) Homepage Journal

    Pure, unfiltered bullshit.

    Evidence: 16-year-olds who work at McDonald's.

    C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

    • Pure, unfiltered ignorance

      On your part, yes. (I.E. TFTFY).

      Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

      Fixed that for you too.

      C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.

      Seriously, get a clue what you're talking about. The terms of the program require an active PayPal account - which a minor can't have. The only dick

      • Pure, unfiltered ignorance

        On your part, yes. (I.E. TFTFY).

        Evidence: I didn't know that16-year-olds who work at McDonald's only do so under special legal restrictions and with parental permission.

        Fixed that for you too.

        You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays, though that never stopped management from scheduling me til close.

        Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.

        • You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays

          Then you worked under very unusual circumstances. And you're ignorant enough to mistake them for being universal. (As if your inability to express yourself without profanity wasn't example enough of your ignorance.)

          Spend a little more time doin

  • If there is an age issue, couldn't they just toss the funds into escrow, maybe an interest earning money market, and cut him a check on his 18th B-Day?

  • by Anonymous Coward

    Sure it was. Does anyone actually buy this?

  • Well done guys.
    Clear message here kids; next time sell the exploit in a black hat forum.

    Paypal, proudly fucking you over since 1998.

  • The message: (Score:5, Interesting)

    by Opportunist (166417) on Wednesday May 29, 2013 @12:58PM (#43851747)

    When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.

    It's just so win-win...

    • When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...

      Yes, this comment was by the "Opportunist".

  • Whose Account ? (Score:4, Interesting)

    by the eric conspiracy (20178) on Wednesday May 29, 2013 @12:59PM (#43851767)

    PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.

    Also you aren't supposed to let others use your account.

    So how did he avoid these terms of service?

    • So how did he avoid these terms of service?

      It's a thing called parental supervision.

      No doubt one parent could have submitted the bug and gotten the money if it had just been a question of money, but how will the child be able to claim credit for discovery to his friends, to a school he will apply to, or on his resume, if instead of his own name, the name of one of his parents is listed on PayPal's web site as the person responsible for the bug discovery.

  • At first, I didn't feel sorry at all. Usually, the guidelines specifically point out you must be 18+, and you agree to this upon submission. But then, I couldn't find anything about age restrictions [paypal.com]. However, it does say "The bug bounty program is subject to change or to cancellation at any point without notice." and a bunch of other "Hey, we can screw you over if we want, and you agree to this upon submission." Therefore, I feel a little sorry for the guy because there is NO indication of an age restri
  • ....PayPal, it just makes you look worse. If you had that vulnerability found already, there should have been something posted somewhere.

    At this point, the only way for PayPal to save face is to dole out the reward and create a new policy stating all of the rules and when the bug is reported and verified, it should be posted immediately.

    • Came here to say this. "Reported by another researcher" could be a very handy boilerplate response if there's no list of found vulnerabilities. They could even post a hash of a vulnerability's description until they fix it.

  • They should ban minors from hacking their site for personal gain and entertainment as well. That would probably cut down on the majority of the script kiddie attacks, and of course would be 100% effective.

    Or even better, arbitrarily RAISE the age at which people are legally allowed to hack their site - that could eliminate ALL security issues, and they'd have no need for bug bounties at all... this security stuff is so damn easy!

  • They received something of value and didn't pay up. I see this as a problem. They should have to give the money to the charity of the kids choice or something like that.

After an instrument has been assembled, extra components will be found on the bench.

Working...