Robert Kugler, 17-летний студент из Германии, который интересуется компьютерной безопасностью, нашел уязвимость на сайте paypal.com, и решил сообщить о ней в рамках программы по награждению за найденные баги. Однако, ему было отказано, т.к. он не достиг 18 лет. В ответ на это, он опубликовал уязвимость на seclists.org. Вот что он пишет:
Hello all!
I'm Robert Kugler a 17 years old German student who's interested in
securing computer systems.I would like to warn you that PayPal.com is vulnerable to a Cross-Site
Scripting vulnerability!
PayPal Inc. is running a bug bounty program for professional security
researchers.www.paypal.com/us/webapps/mpp/security/reporting-security-issues
XSS vulnerabilities are in scope. So I tried to take part and sent my find
to PayPal Site Security.The vulnerability is located in the search function and can be triggered
with the following javascript code:';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
Screenshot: picturepush.com/public/13144090
Unfortunately PayPal disqualified me from receiving any bounty payment
because of being 17 years old…PayPal Site Security:
«To be eligible for the Bug Bounty Program, you *must not*:
… Be less than 18 years of age.If PayPal discovers that a researcher does
not meet any of the criteria above, PayPal will remove that researcher from
the Bug Bounty Program and disqualify them from receiving any bounty
payments.»I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
not the best idea when you're interested in motivated security
researchers…Best regards,
Robert Kugler
К слову, подобные программы от Mozilla и Google позволяют получить деньги участникам, не достигшим 18-летия, с соглашения родителей.
Автор: ValdikSS
