PayPal is to update its bug bounty programme, with financial rewards offered for the severity of the flaw.
CISO Michael Barrett said that it was one of the first companies to implement a bug reporting process but admitted that ‘no company can do it all alone', so it has updated its original bug reporting process into a paid bug bounty program.
He said: “The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it's clearly an effective way to increase researchers' attention on internet-based services and therefore find more potential issues.”
Barrett said that the program works by researchers submitting bug reports to PayPal via the same secure reporting process using PGP encryption that it had in place previously.
These are then categorised into one of four categories: XSS (cross-site scripting); CSRF (cross-site request forgery); SQL injection; or authentication bypass. “We will then determine the severity and priority of the problem and our developers will fix the issue and then release the fix into our production environment. We then pay the researcher – via PayPal, of course – once the bug is fixed,” he said.
“While a small handful of other companies have implemented bug bounties, we believe we are the first financial services company to do so. It's yet another example of the innovation that PayPal is bringing to shake up the industry as the world moves more and more payments online.”