The Inquirer-Home

Paypal announces a bug bounty programme

Security research on the cheap
Fri Jun 22 2012, 15:33
Paypal screenshot

ONLINE PAYMENT SERVICE Paypal will be offering bounties to security researchers for disclosing vulnerabilities in its services.

Paypal will be joining Google, Mozilla and HP by announcing that it will hand out cash to security researchers that decide to disclose vulnerabilities to Paypal rather than selling them to the highest bidder.

Michael Barrett, chief information security officer at Paypal said that the firm will be offering payments for vulnerabilities classed as cross site scripting attacks, cross site request forgeries, SQL injection or authentication bypass vulnerabilities.

Barrett admitted that initially he wasn't too keen on the idea of paying researchers, saying, "I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong - it's clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues."

While Barrett disclosed vulnerability categories, he did not say how much cash the firm will be offering. Companies such as Google and HP often try to play up their bug bounty programmes as giving something back to the security community, but in truth it is a relatively cheap way for the firms to tap into talent that would otherwise cost them tens of thousands to hire.

Paypal's bug bounty programme has been put into practice. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?