PayPal Reviewing Qualifying Age For Vulnerability Rewards 95
itwbennett writes "In follow-up to 17-year old Robert Kugler's claim that PayPal denied him a bug bounty because he was under 18, the company now says that it is 'investigating whether it can lower the qualifying age for vulnerability rewards for those who responsibly report security problems.' The company also said that the vulnerability had already been reported by another researcher — although they didn't mention that in the email to Kugler telling him he wouldn't be receiving payment."
Award scholarships for under-aged people (Score:2)
That should sidestep all the legal complications.
Re:Award scholarships for under-aged people (Score:5, Informative)
OP is a dumbass, there aren't any legal complications here, just policy:
Kugler has a record for finding security problems. He's received two payments for US$4,500 from Mozilla for finding two problems in its Firefox browser and also was listed as a noted security researcher by Microsoft last month.
Mozilla had no problem paying him.
Re: (Score:1, Insightful)
Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.
PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.
Comparing a Mozilla bug payment to a PayPal bug payment is a very apples to oranges comparison.
And you need to learn how to debate an issue without attacking others by calling them "dumbass".
Re: (Score:1)
Mozilla is not a publicly traded corporation and all profits are plowed back in to Mozilla.
PayPal's parent eBay, on the other hand, is a publicly traded corporation who's goal is to make a profit for stock holders. Thus laws for it are very different.
Honest question:
Are you saying that Mozilla has fewer constraints with respect to paying minors because it is a non-profit org?
What if we were talking about a privately held for-profit corporation? Would they be constrained just as the publicly traded corp is?
Yeah I know... ask a lawyer... :(
Re:Award scholarships for under-aged people (Score:4, Interesting)
None of what you said has anything to do with the age of the bug researcher. Still a pretty stupid argument imo, name one law that would prevent a 17 year old from getting paid for finding a bug.
I do however agree that they are not the same company and would go about writing their policy around it differently, but that has nothing to do with the legality of it whatsoever.
Your "insightful" off point and irrelevant statement got mine downmodded you ho. J/k :)
And one more time just to be clear: corporate policy != law and amen for that.
Re: (Score:2)
AC, it's actually an NDA that makes the most sense that they would make him sign, a contract has a start and end date, an NDA can say something like no disclosure till the bug is fixed.
My point stands, there's no legal problem here as NDAs are not age specific.
http://en.wikipedia.org/wiki/Non-disclosure_agreement [wikipedia.org]
Re: (Score:1)
"A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA), or secrecy agreement, is a legal contract between at least two parties"
Re: (Score:1)
Parent is a dumbass, "somebody else did it first" isn't a legal defense, just wishful thinking.
...especially when the "somebody else" is a completely different type of entity operating in a different jurisdiction with different laws and in different circumstances.
Re: (Score:1)
Re: (Score:2)
"Legal Complications"
If there is legal reasons to not award people under the age of 17 with rewards and such for doing good, then the law is wrong. But then again, this is the "nanny state" where we write laws to protect people from themselves, and in the name of "protecting the children". These laws fix outlying problems at the expense of everyone else.
And remember...this is Germany, where 16 is the legal age for getting a job.
Re: (Score:2)
That should sidestep all the legal complications.
Or, they could do what child-oriented contests and websites have done since time unknown:
Kids! Get your parents to submit written permission and you too can take part in whatever the hell it is we're doing!
Re: (Score:2)
it was promised as a cash reward, don't force him to spend it on university...put it in escrow and cut him a check when he turns 18 if there is an age issue
Re:Award scholarships for under-aged people (Score:4)
And give the scholarship a grand-sounding name, so the kid can get some extra mileage in buffing his resume; such documents are often read by non-technical personnel who might misunderstand "Earned $**** reward for finding security vulnerability" (OMG HAX!), but would love to see something like "Recipient of the Paypal Merit Scholarship for Computing Security Excellence in Youth".
Why restrict it at all? (Score:4, Insightful)
Re:Why restrict it at all? (Score:5, Insightful)
If anything, it's a learning experience.
Indeed. A valuable lesson for any impressionable youth to learn: Paypal will work very hard to screw you out of anything it can. Unless the PR blowback gets bad enough.
(Paypal can apparently tolerate a certain low buzz of "Paypal sucks". They have considerably more trouble with Streisand-amplified flack.)
Re: (Score:2)
There may be some sort of 'ability to enter into legally binding contracts' thing going on. But seriously just hold the payment till he turns 18. Happy birthday kid!
People make things so hard for themselves sometimes.
Re: (Score:2)
It's a voluntary process, why would they need to restrict it? It's not like it's forced child labor. If anything, it's a learning experience.
Yeah, he learned that he should never report a vulnerability. At best, you get nothing for your trouble, at worst you get the FBI breaking down your door and you get Aaron Swartz'd by some overzealous DA.
Re: (Score:2)
Re:Why restrict it at all? (Score:4, Insightful)
There is only one reason to restrict it...legal CYA. Remember everywhere in the world makes their own laws and many of them have restrictions on what one can do with young people, which includes paying them.
Does paying a minor, even for such a voluntary action, require parental approval? If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
Remember, lawmakers are lazy, they like to be overly broad or not think things through, I could totally see legislative attempts at curbing anything from drug use to underage prostitution hamfistedly creating problems here. Law is often not limited by its own intentions.
In the end, I bet the answer has three letters: CYA:
"What are the implications of allowing people under 18 to submit bugs?"
"It depends on......."
"Ok sorry I asked; no submissions from people under 18."
Re: (Score:1)
If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
let me answer your question with a blanket YES - anybody can sue anybody for anything, for any claim. then it becomes a probability game of their odds of winning, the potential cost if you lose, and the cost of defending, even if you were to win. throw in some unquantifiables such as PR reputational costs, etc.
on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good chance of seeing some $$. So it's all a rent-seeking game of thuggery and extortion. welcome to t
Re: (Score:2)
> on the other hand, the plaintiff plays the same probability game, and will only sue if there's a good
> chance of seeing some $$
Well no, its if they believe there is a good chance, which is different from whether there is, but also, whether there is depends on what court in what country. My point is, this looks pretty clearly like it was CYA from the begining and likely something they didn't think through since it was likely viewed as more trouble than its worth.
Re: (Score:1)
Re: (Score:2)
I don't consider that child labor so no. However, if you do, then yes, that's exactly what I would want; regardless of the label you put on it.
Re: (Score:1)
Re: (Score:2)
obviously the hormonal impact of having children has clouded your ability to understand what child labor actually means and why it is generally banned. If you ever do get beyond that you will see what I mean, trust me.
Re: (Score:2)
""What are the implications of allowing people under 18 to submit bugs?""
If you won't pay them as promised, someone else will.
Mr. Kugler should be checking his paypal account for the tidy sum I just tossed his way.
I hope PayPal is happy, because now I know how deep this rabbit hole goes, and it's a SEVERE PCI-DSS violation, which I shall be reporting, or exploiting, I'm not sure of which, yet.
Either way, there's about to be a HUGE shitstorm for paypal, and this will likely end up having them fully-regulated
Re: (Score:3)
According to the terms of the program, yes.
"Payment is paid out through a verified PayPal account, once the bug is fixed." [paypal.com]
A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.
Re: (Score:2)
That is kind of tangential to the point though. Yes, those are the terms, but, what the terms are doesn't address what they can be or why they are the way they are. I meant in more general terms, can you legally pay a minor without permission from their parent? Certainly, I imagine there are places and situations where you can, unambiguously and legally do so, but its not hard at all to imagine places and situations where you cannot or where whether you can is ambiguous.
I think this really boils down to a b
Re: (Score:2)
Good analysis.
If a 15 year old submits a bug, gets paid, and uses the money to buy drugs, could the parent sue, claiming they were irresponsible to give so much money to a teenager directly?
Just to strip away the euphemisms here for clarity - Paypal likely isn't afraid of paying the youngster for good work - it's afraid of what government thugs might do to them if they do.
I'd rather live in the world where a youth can be rewarded for diligent, intelligent work.
Re: (Score:2)
It's all about lawsuits. Laws cannot be written with every specific case in mind (and probably should not). The very purpose of judges (and juries) is to determine the application of law in each specific case.
The problem (in this case) is neither the judges nor the lawmakers. It's the lawyers, and the sue-happy culture. A large company's primary goal operationally is to avoid lawsuits. It's not to make money. It's not to create products. it's the avoid lawsuits. That should tell you everything about the cul
Re: (Score:2)
There is only one reason to restrict it...legal CYA.
"PayPal security is sooo bad, even a six years old can break it. "
That would be another reason for placing an age limit on people who submit bugs, possible embarrassment.
Re: Why restrict it at all? (Score:2)
Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).
Re: (Score:2)
Child labour laws usually prohibit voluntary labour by persons under a certain age (with varying ages, transitional age ranges allowed to work limited hours, etc.).
Indeed; in the USA, that age is generally 16 (although exceptions do apply for work permit holders and farm kids)
Re: (Score:2)
Re: (Score:2)
With highly restricted hours, and if McDonald's isn't following that restriction, they're about to get fucked, royally. Won't matter if it's an independent franchise or not.
Re: (Score:2)
Re: (Score:2)
yet you can be 14 and work at a mcdonalds, at least in NY
I figured as much; hence my use of the term, "generally."
In Missouri, employing anyone under the age of 16 requires a valid work permit (exception made for farm hands).
Re: (Score:2)
Re: (Score:2)
Really it seems like this is a way to force younger people into criminal hacking. Hey, I found a bug on Paypal, I could do the responsible thing, and turn it in and not get paid, or I could exploit it and get paid even better. As if I needed anymore reason to hate Paypal.
Re: (Score:2)
Why don't they just admit they don't want to pay him - or anyone.
wouldn't get free work then.
the right thing to do that wouldn't have been a pr snafu would have been to told him that he'll get his reward when he turns 18.. not that giving minors money would be illegal anyhow.
is their rewards program constructed as a shuffle??
This kid pointed out Paypal's Biggest Vunerability (Score:3)
Their poor policy and the public's perception of that company. The more people hear about PayPal's poor internal decision making the better off everyone is about avoiding their biggest vulnerabilities.
Make payment to parents or guardians (Score:1)
It seems obvious to me, but if Robert Kugler is too young to receive the award, then arrange to make the payment to a parent or guardian. If somebody else discovered the vulnerability first, then again, obviously, that should have been stated in the initial contact.
Re: (Score:2)
This all assumes that there is some sort of legal restriction on giving money for things like this.
There isn't.
--
BMO
Re:Make payment to parents or guardians (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
It seems obvious to me, but if Robert Kugler is too young to receive the award
Is there an age restriction on owning money?
I'll try to remember that the next time I see girl scouts selling cookies.
And I'll notify the authorities immediately if I see any kids mowing the neighbors lawn. It's my moral duty.
Re: (Score:2)
Who said anything about a contract? Why would you need one, are there any intellectual property rights on a vulnerabilities/bugs? Does he need to sign the ownership rights over to them so they can collect royalty payments from people who exploit it?
He reported a vulnerability, they acknowledged it exists and that he's reported it to them.
They're not employing him or entering into an ongoing business relationship with him, they need to STFU and give him his money as promised.
Re: (Score:2)
"Is there an age restriction on owning money?"
Why yes, there is, especially if something has been found to be in violation of child labor laws.
But, this isn't the matter.
Re: (Score:2)
Money laundering (Score:2)
The problem with Bitcoin is the difficulty of exchanging it for offline money. The governments of major countries have been cracking down on BTC exchanges [rt.com], claiming that their potential for money laundering outweighs any lawful benefit they might offer. PayPal is big enough to be able to afford compliance with money laundering regulations.
But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.
Re: (Score:2)
But one alternative to PayPal is Dwolla, the payment processor that people used to use to get their money in and out of Mt. Gox.
Another alternative would be LibertyReserve...what's that? ... oh, never mind.
Legal issues? I hardly knew her. (Score:1)
Just shut up and pay the kid (Score:2)
That is all
Can't 'Legally' Pay a 17-Year-Old? (Score:5, Insightful)
Pure, unfiltered bullshit.
Evidence: 16-year-olds who work at McDonald's.
C'mon, PayPal; Fuckin' a kid around is bad enough, but then having the balls to lie to his face about why? That's uber-dickish.
Re: (Score:2)
run afoul of child labor laws
Was Paypal employing him? Did they have any prior contact with him? Have they ever paid him money before?
If people aren't allowed to buy things off minors then the Girl Scouts of America are completely screwed.
Re: (Score:2)
On your part, yes. (I.E. TFTFY).
Fixed that for you too.
Seriously, get a clue what you're talking about. The terms of the program require an active PayPal account - which a minor can't have. The only dick
Re: (Score:2)
On your part, yes. (I.E. TFTFY).
Fixed that for you too.
You didn't fix shit, you cocky asshole. I've worked since I was 15, and guess what? Never needed parental permission, and the only "special legal restrictions" I dealt with were that I wasn't supposed to work past a certain time (10 PM I think) on schooldays, though that never stopped management from scheduling me til close.
Spend a little more time doing research, and a little less time being so sure of yourself, and maybe next time you won't come off as such an arrogant, know-nothing prick.
Re: (Score:2)
Then you worked under very unusual circumstances. And you're ignorant enough to mistake them for being universal. (As if your inability to express yourself without profanity wasn't example enough of your ignorance.)
escrow? (Score:2)
If there is an age issue, couldn't they just toss the funds into escrow, maybe an interest earning money market, and cut him a check on his 18th B-Day?
Already reported (Score:1)
Sure it was. Does anyone actually buy this?
Excellent motivation and publicity, Paypal! (Score:2)
Well done guys.
Clear message here kids; next time sell the exploit in a black hat forum.
Paypal, proudly fucking you over since 1998.
The message: (Score:5, Interesting)
When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them. Not only do they not have any problem with you being underage, you being underage also means you most likely won't be doing time if you get caught.
It's just so win-win...
Re: (Score:3)
When you're young, don't report the bug to the company in question or the authorities, report it to those that can make "good use" of them...It's just so win-win...
Yes, this comment was by the "Opportunist".
Whose Account ? (Score:4, Interesting)
PayPal has account eligibility requirement that you must be 18 to open an account. And yes I checked it applies in Germany.
Also you aren't supposed to let others use your account.
So how did he avoid these terms of service?
Re: (Score:2)
So how did he avoid these terms of service?
It's a thing called parental supervision.
No doubt one parent could have submitted the bug and gotten the money if it had just been a question of money, but how will the child be able to claim credit for discovery to his friends, to a school he will apply to, or on his resume, if instead of his own name, the name of one of his parents is listed on PayPal's web site as the person responsible for the bug discovery.
only feel a little sorry for him (Score:2)
Backpedaling doesn't make you look better.... (Score:2)
....PayPal, it just makes you look worse. If you had that vulnerability found already, there should have been something posted somewhere.
At this point, the only way for PayPal to save face is to dole out the reward and create a new policy stating all of the rules and when the bug is reported and verified, it should be posted immediately.
Re: (Score:2)
Came here to say this. "Reported by another researcher" could be a very handy boilerplate response if there's no list of found vulnerabilities. They could even post a hash of a vulnerability's description until they fix it.
Here's another idea for Paypal (Score:2)
They should ban minors from hacking their site for personal gain and entertainment as well. That would probably cut down on the majority of the script kiddie attacks, and of course would be 100% effective.
Or even better, arbitrarily RAISE the age at which people are legally allowed to hack their site - that could eliminate ALL security issues, and they'd have no need for bug bounties at all... this security stuff is so damn easy!
Something is wrong... (Score:2)
They received something of value and didn't pay up. I see this as a problem. They should have to give the money to the charity of the kids choice or something like that.