- Mom calls cops on son who can’t get ready for school on time Tuesday 11:19 PM
- Tinder exec fired after involvement in lawsuit alleging sexual assault Tuesday 10:48 PM
- Woman matches on Tinder with LaCroix thief—and his victim Tuesday 7:38 PM
- U.K. police will have to disclose documents about WikiLeaks journalists Tuesday 6:37 PM
- Backpack Kid sues Fortnite developer over flossing emote Tuesday 5:38 PM
- Conservatives rage at Alexandria Ocasio-Cortez’s ‘week of self-care’ Tuesday 4:02 PM
- 2 inflatable snowmen fought in front of a combo KFC/Taco Bell Tuesday 2:47 PM
- How to watch the Boca Raton Bowl online for free Tuesday 2:43 PM
- DAZN KOs YouTube, Snapchat as (temporarily) the most downloaded app Tuesday 1:57 PM
- AT&T says it’s rolling out 5G service this week Tuesday 1:03 PM
- NY state senator tells woman staffer ‘Kill yourself!’ in a tweet Tuesday 12:54 PM
- This Lil Jon-Kool-Aid Man Christmas jam is as extra as you’d expect Tuesday 12:13 PM
- YouTube stars say unfair copyright claims are making their lives hell Tuesday 12:12 PM
- UPS deletes tweet about shredding letters to North Pole after huge backlash Tuesday 11:21 AM
- Viral petition leads to revised Holland Tunnel Christmas decor Tuesday 11:10 AM
When Robert Kugler reported a bug to PayPal, he was hoping to get paid as part of the company’s bounty program.
When Robert Kugler reported a bug to PayPal, he was hoping to get paid as part of the company’s bounty program. But the eBay-owned company rebuffed him. He was 17—underage.
On May 19, Kugler, a security researcher from Germany, notified PayPal of a cross-site scripting (XSS) flaw that would permit anyone who exploited it to steal sensitive information. For a site that deals in financial transactions, this is not an insignificant vulnerability.
According to PC World, eBay officials notified Kugler via email that because he was under 18, he was in violation of its guidelines for security researchers. It’s worth noting the company’s site doesn’t actually mention the age restriction.
For his part, Kugler believes PayPal’s actions are setting a bad precedent and that they’ll only discourage others from finding and reporting vulnerabilities.
“It’s not the best idea when you’re interested in motivated security researchers,” he wrote in his report on security researcher site Seclist.org.
UPDATE: PayPal denies that Kugler’s age was at issue. Actually, another researcher beat him to the punch. Here’s the company’s statement:
In this specific situation, the cross-site scripting vulnerability was already discovered by another security researcher, so [the bug] would not have been eligible for payment, regardless of age [of the researcher], as we must honor the original researcher that provided the vulnerability.
Photo via Liz Wise/Flickr
Fidel Martinez is a web culture and politics reporter. His work for the Daily Dot focused on Reddit and YouTube.