No stranger to the malevolent efforts of cybercriminals, PayPal is now offering financial rewards to researchers who find and report security bugs to the site's administrators.
Michael Barrett, PayPal's chief information security officer, said in a PayPal blog that although he had "reservations about the idea of paying researchers for bug reports," similar bug bounty programs put in place by Facebook, Google, Mozilla and Samsung have proven to be helpful in keeping a site safe.
"It's clearly an effective way to increase researchers' attention on Internet-based services and therefore find more potential issues," Barrett said.
PayPal, Barrett said, was one of the first companies to have a bug-reporting program in place; in adding the financial reward, PayPal hopes to entice more "white-hat" hackers to help capture potentially harmful bugs — a win-win for PayPal and the bug-spotters.
PayPal will pay researchers who find and report cross-site scripting (XSS), authentication bypass, SQL injection and cross-site request forgery (CSRF) bugs, all of which are tools commonly used by hackers to gain control of targeted systems. Bug-hunters must share the security glitch with PayPal before making it public online, and must allow "reasonable time to respond to the issue before disclosing it publicly." The company did not say how much it would pay for each bug reported.
Once PayPal determines the severity and priority of the vulnerability, its developers will fix the flaw and pay the researchers — via PayPal.