Audit: PayPal’s “Bug Bounty” Program to Track Breaches Down

• PayPal launches a bug bounty program and start paying researchers to report the security breaches they would find.

• This approach is based on their existing reporting process which did not plan remunerating vulnerability reports; originally unsure about this idea, PayPal admits to have been wrong as these earnings might push researchers into actually sending their feedbacks. The existing programme has subsequently been updated and reports are to be classified under four categories (XSS, CSRF, SQL injection and authentication bypass).

• The amount of these bounties are defined according to the sensibility of the discovered breaches, and transferred to the hunter’s PayPal account.

Notre analyse

• This method relying on external know-how and some researchers’ quest for recognition is already being used by other major players, including Google, Mozilla, Samsung, or, more recently Facebook (see January 2012 Insight). For now, PayPal is the first financial services company to have opted for this solution, encouraged by the conclusive results of its predecessors. The principle in fairly simple: the payment is subjected to reporting the given bug in an appropriate manner without impacting the player’s services.

• These initiatives are expensive to run, which explains why only the main players can afford to implement them. Considering their online visibility and the current headlines, many would actually benefit from setting up such programmes.