Slashdot Mirror
PayPal Denies Teen Reward For Finding Bug
itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."
^ That's all.
That's a REALLY good way to generate positive publicity for your company - act like a douche.
Yup.
So, the next time a 17yo finds a bug, they don't report it, the exploit it.
Sounds like a plan.
Paypal, perhaps all future underage rewards be in the form of scholarships?
PayPal could have paid into his parent's account, and then froze it.
I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
Way to piss off the community you asked to hack your system. I'm sure this will go well.
They're crooks.
Be it closing your account, taking your money, refusing to pay up, if there's a way to screw you over PayPal will find it.
Why do people try to help corporations for FREE? Its appears most of them only care about making money and saving face, not the social good or their employees. As such they find every way to make more money (Or avoid spending money) at the expense of society and their employees.
If Paypal won't pay the kid for bugs in its system, I bet someone else will.
We got work out of you. And don't have to pay you.
Why? because fuck you that's why!
"Here's a few bucks in a bank account for next year when you go to school!" Oh, no. They didn't think of that. Creeps.
"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."
Sometimes it's hard not to think Dick had it right in Henry the Sixth.
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
Hell, they could have placed it in a paypal acount. "Here's a few bucks in a paypal account that you can use next year to buy hundreds of dollars of textbooks on half.com"
Bottles.
... in the PR from this, worth more than whatever money PayPay would have given him.
If I was PayPal, I'd offer the kid an internship or something. That is, an internship where I work him to the death and squeeze as much as possible for as little pay as possible. But hey, I'll coerce him to stay quiet and tell him how he'd never have gotten such a wonderful ::snicker:: opportunity otherwise.
You meet and exceed all qualifications for our bug bounty, Mr. Kugler, and we thank you for your participatory effort and hacker spirit. in the spirit of our ethos, we would certainly not be forgiven if we were remiss in this congratulation, and we certainly have not forgotten about the security of the internet. to ensure your reward is provided quickly and safely, we must insist upon our currency the Bitcoin.
All the best,
Anonymous.
Good people go to bed earlier.
I am curious if they chose not to pay due to some kind of underage worker laws or some such? Not trying to make excuses for what clearly could have been handled in a much better fashion (the scholarship suggestion was a good one!), but ... I am curious about the motives, here.
He'll get a nice publicity boost. Seventy years from now or whenever, this incident will be in the kid's obituary.
Deceptive Trade Practices, Selling a Fraud, and a number of other charges I can think of against paypal. He needs an attorney.
Okay, so they have the rules. But seriously, they could still cut the kid a check as a "Hey cool, nice job kid."
And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?
targeted specifically to the kid in question.
Sphinx of black quartz, judge my vow.
Placing it in a PayPal account pretty much ensures he would've never seen his money. This is PayPal. They'd grant the money, find it suspicious, then freeze the account for years.
Have him choose a parent or guardian. That way they aren't jerks and they don't have to set up a brand-new scholarship program.
You know? Like setting up some sort of thing that contributes to a school account or something? That's pretty damned low.
What's the purpose of this 'over 18' rule anyway? I would think that if a kid was able to hack my website, I should be paying them more for the embarrassment factor.
That's generally not how contracts work. Entering into a contract with a minor means that the contract generally is unenforceable against the minor. However, it's still binding on the other party.
Since we all know that the terms and conditions on a website are legally binding, his lawsuit should be pretty straightforward.
Feel free to contact me, kid. I'll gladly represent you.
Welcome to the real world.
If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?
While I can appreciate where your skepticism is coming from, you have to realize that Paypal freezing people's accounts is actually not a typical thing. For every person that this sort of thing happens to, there are many hundreds or thousands of others that it does not. Not that I'm saying that it happens at all is acceptable, but it's not statistically valid to assume that something which happens a tiny fraction of 1% of the time might be sufficient reason to believe that one should actually be actively *expecting* it to happen at any particular time.
File under 'M' for 'Manic ranting'
I wonder when big companies will learn that douchery like this always comes back to bite. Are you unaware of the Internet? You can't get away with it!
Signature intentionally left blank.
FTFA:
PayPal requires that those reporting bugs have a verified PayPal account.
The kid didn't have one. Claim denied. What's the story here? (The age thing? That's irrelevant...)
Paypal is really stupid -- I would not be surprised if this actually results in the guy finding more bugs and simply just releasing the information without giving Paypal any heads up about it.
Welcome, Mr. Kugler, to the good ol' US-of-A, where you aren't a real person until you can cast a ballot. If you get a job, you must follow a different set of rules. If you break a law, you get a different justice system. If you win a contest, you have a different set of rules that forbid you from winning anything. That's right, in several states you can't actually own property until you're 18. I'm not sure what jurisdiction PayPal/eBay is playing ball in, but in general, don't expect the government to ever side with anyone who hasn't reached that magical moment where they are instantly freed from their childhood stupidity.
You see, despite biology saying that humans are mature at around 15 years, the Puritans who founded the United States were rather squeamish about things like youthful ambition, political activism, and worst of all, sex. The generally-accepted age of maturity moved back several years, finally settling at 18, and it's been stuck there. Of course, anyone under 18 who wants to have their full rights doesn't have the right to get them (except through a red-tape-filled emancipation process), and no parents ever want their darling little children to grow up so fast, and no politician would dare propose an affront to "traditional family values", so there are no realistic attempts to get more legal power for minors.
A few states allow certain adult rights to 16- and 17-year-olds, but those rights are usually restricted to things like "can work on a farm" and "can be prosecuted as an adult for heinous crimes". Practically all other rights are the domain of the parents, so there's a slim chance that your parents could ask for the reward as promised, but that's unlikely to work, because they didn't find the bug.
Welcome, sir, to America, where our child abuse is civilized!
You do not have a moral or legal right to do absolutely anything you want.
So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.
So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."
--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".
http://www.geoffreylandis.com
Hell, they could just award the amount to him it the form of a scholarship.
Most kids turn are 18 before starting college.
Then it would be up to him to use the money or not by attending college.
But Paypal would come out of it looking much much more reasonable.
Depending on the amount and the state of residence this may be a small claims court case, in which case it would be a slam dunk - and if you do have to go to real court, get the EFF to provide council - thats why they exist...
It happens enough that smart people don't keep money in their PayPal account any longer than they have to.
Isn't using the word in "pretentious" in pretentious 'cork sniffing asshole' redundant?
If you want news from today, you have to come back tomorrow.
Paypal ist ein arschloch. Die Junge will kein geld haben. Paypal soll gibt ihn seine Anerkennung.
True... but equivalently, a smart person has no statistically valid reason to actually *expect* it to happen to them, personally, at any given time, simply because they happen to have an account with paypal.
I'm not suggesting that it's a reason to trust them implicitly, I'm only suggesting that overemphasizing the importance of outlying cases to the point that one thinks they should expect such incidents as a matter of regular order of business is not valid.
File under 'M' for 'Manic ranting'
Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Hold on friend. A 15 yo may look like an adult but they do not think as adults yet. Adolescents do not possess the ability to accurately evaluate the future consequences of their actions. They slowly develop this ability over time. I'm still developing that ability myself, or at least I hope I am.
This speaks directly to the situation at hand as apparently Paypal wants the "winners" to enter into some type of enforceable contractual agreement. Never mind that knowing Paypal, that contractual agreement probably only protects them and fucks the "winners". As a minor, any contractual agreement he would enter into is unenforceable. The laws are written that way not to prevent you from dating teenage girls but to protect the adolescent from entering onto a contractual agreement that has detrimental repercussions that the adolescent did not see because of their not yet fully developed ability to evaluate the consequences of their actions.
Disclimer: I am currently a parent of a 15 yo.
"The ferrets, they're every where I tell you!"
When he turns 18, he should resubmit the bug for reward, and he should get the reward as he is demonstrably the first person who found it.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
That's a foolish thing to do. Now that kid won't report the second bug he found and may just publish it in some innocuous place where it will get picked up by a ne'erdowell and be exploited - something that will no doubt cost more than if PayPal had just done right by the kids in the first place.
Hold the money for him until he turns 18. See that way you don't look like a jackass to the very community you are asking to help you.
Sincerly,
CPTN O
When you're the only game in town you get to make all the rules.
Join the Slashcott! Feb 10 thru Feb 17!
How many contests do you see from American companies that do not have the clause in them "Persons must be 18 years or older to claim prize" when it involves a cash payout? What, 98% of them? So when paypal does what everyone else suddenly they are an evil corporation that sacrifices kittens and drinks infant blood? Give me a break you guys. You just want to hate paypal for the sake of being on the hate bandwagon.
I know some of you have had problems but millions of people use paypal everyday without a problem like me. But some people have a problem and then run around making it sound worse than it is because they skew the facts or make them sound worse than they are so others will side with them. And of course they sound horrible because you the low percent are also the loudest and you only pay attention to the negative stuff others say, you notice anytime someone has a problem and say "SEE! They are evil because that person says they are also!".
If you don't like paypal don't use it. Its that easy and instead of turning one little problem into a crusade maybe you should spend more time focusing on things that make you happy.
PayPal: neither pays nor is your pal. Discuss.
Before paypal gets hacked.
Is there no button to delete your slashdot account? ...work on that.
The rules say that "Payment is paid out through a verified PayPal account, once the bug is fixed." It's not required to have a PayPal account to win. That's just the payment mechanism eBay prefers. Once someone has won, PayPal owes them money. PayPal is a debtor here.
Debtors do not. in general, get to require that their creditor jump through hoops to get paid. Whether eBay is entitled to require payment via their own system is a legal issue which eBay would probably lose. Any collection lawyer or collection agency should be able to take this case and win.
On top of that, this is a "contest", and in the US, contests are regulated by the FTC's Contest Rule. Federal law limits what a contest operator can require after they've told someone they've "won".
If he had sold it to some russian evil mafia-hackers, they could have paid him via PayPal (set up with a false name or something) but PayPal isn't going to do what they said they'd do ("We pay you if you find a bug in your system and report it").
Nice lesson they taught him there...
When I was 17 (Two years ago) I was able to sign an NDA and write code for a company while getting payed about $500 a month. If I was able to do that, I see no reason that paying this kid would be against the law.
PayPal is a subsidiary of eBay. The CEO's name is John Donahue. I've written to him. If anyone else wants to:
John Donahue
CEO, eBay
2055 Hamilton Ave
San Jose, CA 95125
It's my belief that as of 2013, a personal letter, written in ink on physical paper in an envelope with a stamp, sent by USPS, has more impact than e-communication or online petitions.
"How to Do Nothing," kids activities, back in print!
The fact of the matter is that Paypal should have thanked the individual with a reward regardless of age or account status. If a teenager can find a bug (and I'm assuming it's a pretty significant bug) without an account, it makes you wonder what he might have found had he had an account. It makes me wonder who else will now try to hack PayPal and exploit found bugs. This teenager in the pursuit to get some cash, and maybe with a noble cause to make the product better, found a bug, reported it and then is insulted for his efforts.
PayPal is doing everything in their power to shoot themselves in the foot.
Life takes interesting turns, but the most interest is when you're off the beaten path.
The next time a teenager finds an exploit in PayPal, what are the odds they're going to report it, and not exploit it? After this dick move, the report odds go down and the exploit odds go up. Stupid, stupid, stupid.
Finding God in a Dog
There's others out there that will. And generally they are the ones looking to exploit those bugs. Factor that in next time PayPal.
I am Bennett Haselton! I am Bennett Haselton!
PayPal just went out of their way to screw someone and take their money? That's so unlike them. This must be the first time that PayPal has ever done anything like this. They're usually so respectable.
Really. I've been there and that place is rank with an unintelligent thug mentality that I've also experienced online as well as on the phone. While talking to their security people investigating my account, I was asked, "are you being sneaky?", which doesn't bode well for productivity in any kind of business.
Let's pay directly.
Do you have homeowner's insurance? You realize that the odds of your house burning down or some other catastrophe striking is about 0.5%, right? So why bother with insurance?
The reason is that there's a second factor here that you're ignoring. Yes it's important to consider the actual small chance of Paypal freezing your account. But equally important is how big an impact such a freeze would have on your or your business' finances. If you're some rich guy with money spread across dozens of accounts (to stay under the $250k FDIC limit), then it's no big deal. Likewise, if a rich guy owns a dozen homes and can afford to buy another the next day if one burns down, he'll actually save money on average by foregoing homeowner's insurance.
But if you're a normal person, your home burning down would be an unrecoverable catastrophe. Likewise having your account frozen can be devastating to your finances, possibly even leading to your business going bankrupt. That's why you buy homeowner's insurance despite the small chance of disaster actually striking - it would be a financially unrecoverable event, so you buy insurance to protect yourself in case it happens. Likewise, you may want to avoid Paypal despite the small chance of having your account frozen, if the frozen account would or may be a financially unrecoverable event.
Next time, do it right. An analogy follows:
1. 17 year old: "Dad, this lottery ticket I bought is a winner."
2. Father: "Here, give it to me, I'll take care of it."
3. ????
4. Profit!
A guide from your friends at paypal.
If course you have your home insured.... but if you're remotely normal, you don't go around acting like you actually *expect* to have your house burn down any day now, simply because there's a statistical chance that it could happen.
There's a big difference between being cautious and being paranoid that something bad is going to happen.
File under 'M' for 'Manic ranting'
Why? The person in charge of the program is sooooo fucking irrelevant and so fucking dumb (obviously not real security researcher, just some point and click pansy fuck) that they HAVE to take douche action like this for themselves to feel important.
Yes it's all about them. Fuck the kid, and security? who cares! As long as I have control of the outcome and play god is all that matters! HAH Look at me! I run the paypal security program! I"M GOD
jesus fucking allah
Do YOU have *any* actual numbers to back up *any* of your claims?
Captcha: deflate
Sometimes I really do think I'm the only person who's never had a single problem with PayPal...
The closest I've ever come, is getting my PayPal debit double-charged because a place I ordered something from apparently doesn't know how to properly handle credit cards. (They made a second charge instead of finalizing or releasing the pre-authorization hold they made.) But I can hardly blame a third party's incompetence on PayPal.
It seems like every other person on the internet has some horror story about PayPal. Which I totally believe, I'm not saying otherwise, but jeez... Is this where I'm using up all my luck?
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
Congratulations PayPal. You have discovered the secret formula for creating a criminal hacker.
[Rent This Space]
Wow, 17 years? You can get any bank account in your name before you're even 12! I can think of at least a dozen ways you could have made this kid whole. Way to diss the kid...
Please be sure to copy and paste your comments to PayPal's forums too.
Thread is here: https://www.paypal-community.com/t5/My-Feedback-for-PayPal/Shame-on-PayPay-for-Cheating-a-17-year-old-website-bug-finder/m-p/647249/
Less *is* more.
All of the comments discussing legal concerns is stifling. Most of it doesn't make any sense except to register the point that even the simplest of things can be excruciating when done in court. I like the scholarship idea but the way the money is given to the kid should be left to him. Set up a trust fund or give him an IOU that accumulates interest. Tell him he can't receive money but because of his interest in the company, he can receive Paypal points that can be used to purchase items that amount at least to the amount he would have been paid if he was 18. Paypal should know that teenagers have the time, interest and experience to look at problems they might have and are more likely to do so for a lot less than older people. They should be at least as creative in their rewards as they are in their requests for help.