PayPal Denies Teen Reward For Finding Bug

itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."

Paypal suck.

[aliquis]

^ That's all.

Re:Paypal suck.

At least provide the link.

Re:Paypal suck.

[KGIII]

That site has been around forever and a day it seems. There are a number of people who have been screwed over by the company. I wouldn't have any sympathy for those people getting screwed except that some of them appear to (and have provided documentation that appears to be proof) be following all the various rules that PayPal has and yet they're still getting screwed over.

One of the biggest and most common problems I see are the jackasses that reverse the charges because they claim they never got the product. Some of them have been so egregious that they claim the product was not new even though the ad provided by the seller clearly indicated that the product was in used condition. Yet PayPal still found in favor of the buyer and forced the refund. They've locked entire accounts worth thousands of dollars at their whim.

I'm beginning to think that if they want to act like a bank that they need to be regulated as a bank but we've all seen how poorly bank regulation is and how ineffective the government's monitoring of banks is so I'm not sure how much of an actual benefit that would be.

In this case it seems to me that PayPal could easily work with the teen and find an adult who could be awarded the reward on the teens behalf. But, well, why do that when they can simply refer to the rules and save the reward money? Assholes... A part of me wants to say that it is the teens fault for not being aware of the rules or for thinking that the rules don't apply to them. Indeed that would normally have been my attitude. However, this is PayPal and, due to that fact alone, means that I'm not inclined to reward PayPal with good-will thinking or benefit of the doubt thinking.

Re:Paypal suck.

[KGIII]

Reading the article is against the rules. I'll be damned if I'm going to be known as a rule violator.

Though, well, it doesn't really surprise me that they'd make up an age restriction rule without having mentioned it in the contest. Given that it is PayPal I'm not only not surprised that they didn't mention it, I'd actually be surprised if it DID mention all of the rules. If they mention all of the rules then they may actually have to pay out. We can't have that now can we? Greed isn't just a motto, it's a fiduciary duty!

Next week we'll find out that it isn't valid on Tuesday, if you're wearing a green shirt, if your first name contains the letter 'e,' or if your phone number contains the number 7. You're also disqualified if you are a security researcher or are even competent enough to turn a computer on. Offer subject to change without notice, of course.

Sadly, it really wouldn't surprise me.

Why don't businesses get it?

[singingjim1]

That's a REALLY good way to generate positive publicity for your company - act like a douche.

Re:Why don't businesses get it?

[Mike+Frett]

Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.

Re:Why don't businesses get it?

[jareth-0205]

Who says this is the only report there will be? This is a human interest story that could quite easily be picked up wider than just /.

Re:Why don't businesses get it?

[singingjim1]

It's just poor form and doesn't instill confidence that any decent people are in charge of anything any more. It should be obvious that the right move would to not only give the guy his bounty, but to make sure they publicized that even though he's only 17 they are grateful that he came forward with the bug and are happy to show their appreciation. Why is this just not obvious anymore?

Re:Why don't businesses get it?

[fuzzyfuzzyfungus]

Oh, they could have done any number of things that aren't "be a total asshole".

My point was merely that it is practically boilerplate for contests to have an "Applicants must be US residents 18 years or older" clause to keep legal complexity down, so that part of the story isn't too unexpected. It's just the not having that clause, and then springing it on him anyway, and not even trying to make amends in some other fashion, that is just classic Paypal... Merely forbidding under-18's, because they are a greater pain to deal with, is pretty normal.

Re:Why don't businesses get it?

[slashmydots]

Hey genius, it's a federal law actually.

Re:Why don't businesses get it?

No, it isn't obsolete and does matter. Try to get a book published if you're ignorant of grammar. Now, in a forum like this? If you're going to use "whom" you'd better be damned sure you're using it correctly or you'll look both pretentious and ignorant at the same time. Faux intellectuals are annoying. If you don't know when to use "whom" and when to use "who", just don't use "whom" at all. But don't expect anyone to believe you're ever stepped foot in a community college, let alone a university.

Leave "whom" to the pros, kid. If you're ignorant about a subject, STFU about it except for asking questions and listen. Nobody ever learned anything by spouting off shit they were ignorant about. Pretending to be more knowlegable than you actually are will leave you ignorant and leave everyone else laughing.

Re:Why don't businesses get it?

[hedwards]

It's not obsolete, it's just not necessary in many cases. But, if you're using it as the object of the preposition there's really no excuse not to use it. And sentences like "who hit who" are better when phrased as "who hit whom." The former requires more thinking than the latter.

Just because most people don't bother, doesn't mean that it's not worth the time. Granted, if you're using more complex sentences it can be ridiculous to diagram them in your head, but for more simple sentences it's not that hard.

Re:Why don't businesses get it?

[invid]

Only if it also involves a squirrel, a bikini model, and a trebuchet.

Re:Why don't businesses get it?

[gnasher719]

Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...

What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

Re:Why don't businesses get it?

[faedle]

PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

Re:Why don't businesses get it?

[vux984]

I'm assuming there's no legal reason why one would need to be 18 to get paid for something like this?

Perhaps he needs to be able to enter into a contract? Non-disclosure agreement, etc.

Perhaps he runs afoul of some law preventing children from entering contests... he's in Germany so I'm not aware of any in particular, but Maine for example, has the The Predatory Marketing against Minors Act, which has had the result of companies blocking anyone under the age of 18 from entering various contests because they don't want to risk the liability of being found in violation of this law.

Just lawyers upholding the all holy all important important EULA at the expense of what's fair and what's good PR?

Or just following the law. (Although I'm pretty sure they could do something appropriate to at least recognize him... but this is paypal... paypal sucks.)

Re:Why don't businesses get it?

[pla]

They are a bank and have to respect the law.

They have fought tooth and nail - successfully - to remain very much not a bank. Banks have extensive regulations regarding when, how, and for how long they can lock you out of access to your own money, which runs contrary to Paypal's "when in doubt, just steal from our customers" business model.


No business with minors is one of them.

First of all, this kid already had a Paypal account. They never hesitated to take his money, and only mentioned this rule when it came time to pay some out.

And second - Just "no". Doing business with kids imposes a small extra burden on the company to make sure the parents approve, or they risk having a reduced ability to pass the buck on any derived liability. A bit more stringent, we have COPPA adding a ton of privacy requirements for kids under 13, but that doesn't apply here (and even then doesn't make such accounts illegal, it just requires parental approval and blocks the company from tracking/selling certain information about the kids).

Re:Why don't businesses get it?

[anarcobra]

So does this mean they can't fix the bug now? Because that would be using the information.

Re:Why don't businesses get it?

[IP_Troll]

but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.

If they offer a potential code fix you can chose not to use their code and avoid all liability.

You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.

Re:Why don't businesses get it?

[Maximum+Prophet]

What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them.

Kids write, record and perform songs all the time, the the record companies have found a way to hold them to contracts. Ditto for kids that appear in films. What does Nashville and Hollywood know that PayPal can't figure out?

Re:Why don't businesses get it?

[dgatwood]

This is the point where Paypal learns the hard way that his parents did not consent to him accepting the terms of service where he agreed to mandatory binding arbitration.

Re:Why don't businesses get it?

Not the same AC, but the fact that I did not even notice the typo until you pointed it out kinda supports the AC's point.

Re:Why don't businesses get it?

[deoxyribonucleose]

Err... *yes it it*. It's *communication*. Ie it's a passing of information from one person to another, so both people need to understand and agree on the meaning of the words used! (ok, so this particular case the words who and whom are similar enough to be guessed, but if they were very different and the other person didn't understand the obscure & pointless word you used, it's your fault for using it)

What a sad world it would be if language were solely about communicating clear, distinct meanings.

Re:Why don't businesses get it?

[tlhIngan]

PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

Because the alternatives are actually worse than paypal. A real merchant account is pretty damn abusive as well, and that's provided you qualify. If you sell trinkets irregularly over the Internet, you may not even qualify for a merchant account (they often have minimum transactions per month, or you pay a fee).

Things like Square work if you have the card or can get someone to send you the card information (which I believe has to be manually entered and doesn't qualify for the low Square rate).

The end result really is that if you want to accept a payment, Paypal is the only option for many. Well, you could save the 5% paypal fee and demand your customers get you a money order or something, but the inconvenience would generally put off many of your customers.

The next bug....

So, the next time a 17yo finds a bug, they don't report it, the exploit it.

Sounds like a plan.

Paypal, perhaps all future underage rewards be in the form of scholarships?

Re:The next bug....

[click2005]

If I was him, next time I'd setup a system where people could donate bitcoins. Once the total reached the target amount the exploit gets released with the largest donator getting to choose who it gets released to.

I could be worse.

PayPal could have paid into his parent's account, and then froze it.

Re:I could be worse.

[iggymanz]

or they could give it to his guardian or parents, or at least ask him to name a charity for it to be donated. In short, a dozen ways they could award the money if they weren't cheap-asses, and used their brain a little.

Just give the kid his money

[TWiTfan]

I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.

Re:Just give the kid his money

[cdrudge]

Shareholders don't give a crap. The number of people who won't use Paypal because of this isn't even a blip on their financial impact radar, causing even less of a blip on eBay's stock price.

Briliant.

[headhot]

Way to piss off the community you asked to hack your system. I'm sure this will go well.

Re:Paypal suck.CROOKS

They're crooks.

Let this be a Lesson

[bengoerz]

If Paypal won't pay the kid for bugs in its system, I bet someone else will.

Re:Let this be a Lesson

[minstrelmike]

If Paypal won't pay the kid for bugs in its system, I bet someone else will.

Seems to me that's the entire reason for having a bounty program in the first place.
Then they dump it because the legal hassle of paying an under-age worker is too difficult.
Way to strategize.

They could have placed it in a college scholarship

[Picass0]

"Here's a few bucks in a bank account for next year when you go to school!" Oh, no. They didn't think of that. Creeps.

Perverse incentive

[wanderfowl]

"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."

So they are going to do the right thing right?

[Marrow]

And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?

Dear Kid,

[dlb]

Welcome to the real world.

Too young for what ?

[Alain+Williams]

If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?

Re:Too young for what ?

[sociocapitalist]

If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?

No, he's too young to enter into a contract to receive money for finding a bug.

Don't like it, change US contract law.

So you wouldn't pay the kid that found your lost dog the reward you promised?

This has nothing to do with contract law. Paypal could pay him any number of ways (ie via the parents or when he turns 18).

Re:They could have placed it in a college scholars

[mark-t]

While I can appreciate where your skepticism is coming from, you have to realize that Paypal freezing people's accounts is actually not a typical thing. For every person that this sort of thing happens to, there are many hundreds or thousands of others that it does not. Not that I'm saying that it happens at all is acceptable, but it's not statistically valid to assume that something which happens a tiny fraction of 1% of the time might be sufficient reason to believe that one should actually be actively *expecting* it to happen at any particular time.

They never learn

[Reliable+Windmill]

I wonder when big companies will learn that douchery like this always comes back to bite. Are you unaware of the Internet? You can't get away with it!

Paypal did him a favor

[Diddlbiker]

For a few hundred bucks, the kid learned some valuable lessons that will last a lifetime. That's less than $1 per month.

• Paypal will fuck you over
• In fact, large corporations will
• And so will anyone else
• Learn to read the fine print

Where's the story?

[pongo000]

FTFA:

PayPal requires that those reporting bugs have a verified PayPal account.

The kid didn't have one. Claim denied. What's the story here? (The age thing? That's irrelevant...)

Re:Where's the story?

[wonkey_monkey]

Shut uuuup. You're spoiling it.

Re:Where's the story?

[GodfatherofSoul]

LOL wow this sums up Slashdot perfectly. A whole ton of posters railing against this silly corporate legalese of Paypal, and the one guy who reads the article smacks it all down with one sentence!

How to turn a white hat against you

[rs1n]

Paypal is really stupid -- I would not be surprised if this actually results in the guy finding more bugs and simply just releasing the information without giving Paypal any heads up about it.

Normal US procedures

[Sarten-X]

Welcome, Mr. Kugler, to the good ol' US-of-A, where you aren't a real person until you can cast a ballot. If you get a job, you must follow a different set of rules. If you break a law, you get a different justice system. If you win a contest, you have a different set of rules that forbid you from winning anything. That's right, in several states you can't actually own property until you're 18. I'm not sure what jurisdiction PayPal/eBay is playing ball in, but in general, don't expect the government to ever side with anyone who hasn't reached that magical moment where they are instantly freed from their childhood stupidity.

You see, despite biology saying that humans are mature at around 15 years, the Puritans who founded the United States were rather squeamish about things like youthful ambition, political activism, and worst of all, sex. The generally-accepted age of maturity moved back several years, finally settling at 18, and it's been stuck there. Of course, anyone under 18 who wants to have their full rights doesn't have the right to get them (except through a red-tape-filled emancipation process), and no parents ever want their darling little children to grow up so fast, and no politician would dare propose an affront to "traditional family values", so there are no realistic attempts to get more legal power for minors.

A few states allow certain adult rights to 16- and 17-year-olds, but those rights are usually restricted to things like "can work on a farm" and "can be prosecuted as an adult for heinous crimes". Practically all other rights are the domain of the parents, so there's a slim chance that your parents could ask for the reward as promised, but that's unlikely to work, because they didn't find the bug.

Welcome, sir, to America, where our child abuse is civilized!

Secret conditions

[Geoffrey.landis]

So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.

So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."

--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".

Re:Secret conditions

[UnknowingFool]

I think PayPal assumed like many other companies that you have to be an adult to consent to things that involve money and contracts. Every contest for minors I've seen normally requires parental consent. The bounty program says this specifically:

As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose.

There is no way, a minor could agree and consent to that. Now PayPal could revise its policies now and in the future, but there is a reason not to let minors in.

scholarship?

[schlachter]

Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf

Re:scholarship?

[sleigher]

I just can't wait til the pissed off kid finds the next bug... Maybe he already did and only gave them the small one. I can hope... fuck paypal

Re:scholarship?

[funwithBSD]

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

Re:scholarship?

Actually, no, you can indeed enter into a contract with a minor. If you couldn't, I'd have my kid click through all those license agreements nobody reads.

The minor can be held to a contract that they signed if the parent knew of the contract and demonstrated acceptance, generally by not protesting it. At least that is (generally) the law in the US.

Re:scholarship?

[David_Hart]

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.

If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.

Re:scholarship?

[kencurry]

Seems like a BS excuse to me. Minors receive scholarship money; hell they even turn pro is some sports. When my daughter started college she was only 17, but she controlled her own accounts at the UC she was attending without needing me to sign for everything. Paypal could find a work around if they wanted to.

Re:scholarship?

[lgw]

It's not just the security aspect - presumably PayPal is also doing this whole exercise to better their reputation in general. How's that working out?

Re:scholarship?

[Jessified]

Yea it's BS there are tons of ways around these things. Also, they can't pay him because he isn't an adult old enough to abide by their terms and conditions or whatever, doesn't that gut every EULA everywhere? "My 16 year old installed it."

Re:scholarship?

[hweimer]

Give the fucking kid a scholarship to college...

He's from Germany and therefore unlikely to face any tuition fees, so I doubt he'll need one.

Re:scholarship?

[dissy]

Seriously, paypal done fucked up once more.

They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"

The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!

The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.

Smart move paypal *golf clap* smart move

The next bug will cost more.

[FellowConspirator]

That's a foolish thing to do. Now that kid won't report the second bug he found and may just publish it in some innocuous place where it will get picked up by a ne'erdowell and be exploited - something that will no doubt cost more than if PayPal had just done right by the kids in the first place.

Re:Redundent?

[geminidomino]

Probably, but your first instance of "in" was certainly redundant! ;)

Debtor cannot dictate form of payment

[Animats]

The rules say that "Payment is paid out through a verified PayPal account, once the bug is fixed." It's not required to have a PayPal account to win. That's just the payment mechanism eBay prefers. Once someone has won, PayPal owes them money. PayPal is a debtor here.

Debtors do not. in general, get to require that their creditor jump through hoops to get paid. Whether eBay is entitled to require payment via their own system is a legal issue which eBay would probably lose. Any collection lawyer or collection agency should be able to take this case and win.

On top of that, this is a "contest", and in the US, contests are regulated by the FTC's Contest Rule. Federal law limits what a contest operator can require after they've told someone they've "won".

Name, address of eBay CEO

[dpbsmith]

PayPal is a subsidiary of eBay. The CEO's name is John Donahue. I've written to him. If anyone else wants to:

John Donahue
CEO, eBay
2055 Hamilton Ave
San Jose, CA 95125

It's my belief that as of 2013, a personal letter, written in ink on physical paper in an envelope with a stamp, sent by USPS, has more impact than e-communication or online petitions.

This is a stupid move.

[MAXOMENOS]

The next time a teenager finds an exploit in PayPal, what are the odds they're going to report it, and not exploit it? After this dick move, the report odds go down and the exploit odds go up. Stupid, stupid, stupid.

If they won't pay because of his age

[g0bshiTe]

There's others out there that will. And generally they are the ones looking to exploit those bugs. Factor that in next time PayPal.