PayPal Denies Teen Reward For Finding Bug

itwbennett writes "You have to be 18 to qualify for PayPal's bug bounty program, a minor detail that 17-year old Robert Kugler found out the hard way after being denied a reward for a website bug he reported. Curiously, the age guideline isn't in the terms and conditions posted on the PayPal website. Kugler was informed by email that he was disqualified because of his age."

Paypal suck.

[aliquis]

^ That's all.

Re:Paypal suck.

At least provide the link.

Re:Paypal suck.

[KGIII]

That site has been around forever and a day it seems. There are a number of people who have been screwed over by the company. I wouldn't have any sympathy for those people getting screwed except that some of them appear to (and have provided documentation that appears to be proof) be following all the various rules that PayPal has and yet they're still getting screwed over.

One of the biggest and most common problems I see are the jackasses that reverse the charges because they claim they never got the product. Some of them have been so egregious that they claim the product was not new even though the ad provided by the seller clearly indicated that the product was in used condition. Yet PayPal still found in favor of the buyer and forced the refund. They've locked entire accounts worth thousands of dollars at their whim.

I'm beginning to think that if they want to act like a bank that they need to be regulated as a bank but we've all seen how poorly bank regulation is and how ineffective the government's monitoring of banks is so I'm not sure how much of an actual benefit that would be.

In this case it seems to me that PayPal could easily work with the teen and find an adult who could be awarded the reward on the teens behalf. But, well, why do that when they can simply refer to the rules and save the reward money? Assholes... A part of me wants to say that it is the teens fault for not being aware of the rules or for thinking that the rules don't apply to them. Indeed that would normally have been my attitude. However, this is PayPal and, due to that fact alone, means that I'm not inclined to reward PayPal with good-will thinking or benefit of the doubt thinking.

Why don't businesses get it?

[singingjim1]

That's a REALLY good way to generate positive publicity for your company - act like a douche.

Re:Why don't businesses get it?

[Mike+Frett]

Because the number of users whom don't care or didn't read this news is greater than the people that do. And they will continue to use the service no matter what.

Re:Why don't businesses get it?

[fuzzyfuzzyfungus]

Oh, they could have done any number of things that aren't "be a total asshole".

My point was merely that it is practically boilerplate for contests to have an "Applicants must be US residents 18 years or older" clause to keep legal complexity down, so that part of the story isn't too unexpected. It's just the not having that clause, and then springing it on him anyway, and not even trying to make amends in some other fashion, that is just classic Paypal... Merely forbidding under-18's, because they are a greater pain to deal with, is pretty normal.

Re:Why don't businesses get it?

No, it isn't obsolete and does matter. Try to get a book published if you're ignorant of grammar. Now, in a forum like this? If you're going to use "whom" you'd better be damned sure you're using it correctly or you'll look both pretentious and ignorant at the same time. Faux intellectuals are annoying. If you don't know when to use "whom" and when to use "who", just don't use "whom" at all. But don't expect anyone to believe you're ever stepped foot in a community college, let alone a university.

Leave "whom" to the pros, kid. If you're ignorant about a subject, STFU about it except for asking questions and listen. Nobody ever learned anything by spouting off shit they were ignorant about. Pretending to be more knowlegable than you actually are will leave you ignorant and leave everyone else laughing.

Re:Why don't businesses get it?

[invid]

Only if it also involves a squirrel, a bikini model, and a trebuchet.

Re:Why don't businesses get it?

[gnasher719]

Payouts from just about any 'contest' style arrangement to under-18s tend to be legally obnoxious; but Paypal are a bunch of legendary assholes(and not mentioning such a salient limitation is a total dick move), so I'm not inclined to give them the benefit of the doubt. I'm a bit surprised that they didn't just accuse him of hacking and then freeze and seize a few dozen random accounts...

What happens legally if you are 18 or over: You enter a contract with Paypal that allows them to make use of the bug information that you found and gave them, and in exchange they give you some money. What happens if you are under 18: The same, but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

Re:Why don't businesses get it?

[pla]

They are a bank and have to respect the law.

They have fought tooth and nail - successfully - to remain very much not a bank. Banks have extensive regulations regarding when, how, and for how long they can lock you out of access to your own money, which runs contrary to Paypal's "when in doubt, just steal from our customers" business model.


No business with minors is one of them.

First of all, this kid already had a Paypal account. They never hesitated to take his money, and only mentioned this rule when it came time to pay some out.

And second - Just "no". Doing business with kids imposes a small extra burden on the company to make sure the parents approve, or they risk having a reduced ability to pass the buck on any derived liability. A bit more stringent, we have COPPA adding a ton of privacy requirements for kids under 13, but that doesn't apply here (and even then doesn't make such accounts illegal, it just requires parental approval and blocks the company from tracking/selling certain information about the kids).

Re:Why don't businesses get it?

[IP_Troll]

but as the kid under 18 you or your guardian can void the contract at any time, which would mean Paypal wouldn't have the right to use the information you gave them. Now consider what happens if they fixed a bug based on your information, shipped a product and suddenly they have no permission anymore to use the information. Ugly.

If someone discovers a flaw in a system, you are not barred from ever fixing that flaw in the future. Whether or not the person that discovered the flaw is a minor is irrelevant.

If they offer a potential code fix you can chose not to use their code and avoid all liability.

You can try to fabricate a strawman argument to try to prove your point, but what you said is just plain wrong.

Re:Why don't businesses get it?

[tlhIngan]

PayPal's assholishness is the stuff of legend. PayPal's customer service nightmares alone have been covered by the major media plenty of times. And yet, people still choose to do business with them. Go figure.

Because the alternatives are actually worse than paypal. A real merchant account is pretty damn abusive as well, and that's provided you qualify. If you sell trinkets irregularly over the Internet, you may not even qualify for a merchant account (they often have minimum transactions per month, or you pay a fee).

Things like Square work if you have the card or can get someone to send you the card information (which I believe has to be manually entered and doesn't qualify for the low Square rate).

The end result really is that if you want to accept a payment, Paypal is the only option for many. Well, you could save the 5% paypal fee and demand your customers get you a money order or something, but the inconvenience would generally put off many of your customers.

The next bug....

So, the next time a 17yo finds a bug, they don't report it, the exploit it.

Sounds like a plan.

Paypal, perhaps all future underage rewards be in the form of scholarships?

Re:The next bug....

[click2005]

If I was him, next time I'd setup a system where people could donate bitcoins. Once the total reached the target amount the exploit gets released with the largest donator getting to choose who it gets released to.

I could be worse.

PayPal could have paid into his parent's account, and then froze it.

Re:I could be worse.

[iggymanz]

or they could give it to his guardian or parents, or at least ask him to name a charity for it to be donated. In short, a dozen ways they could award the money if they weren't cheap-asses, and used their brain a little.

Just give the kid his money

[TWiTfan]

I'm pretty sure most shareholders would rather you part with tiny sum of money that you owe this kid than to take the tsunami of bad PR and bad faith that would result in you being dicks about it.

Briliant.

[headhot]

Way to piss off the community you asked to hack your system. I'm sure this will go well.

Re:Paypal suck.CROOKS

They're crooks.

Let this be a Lesson

[bengoerz]

If Paypal won't pay the kid for bugs in its system, I bet someone else will.

They could have placed it in a college scholarship

[Picass0]

"Here's a few bucks in a bank account for next year when you go to school!" Oh, no. They didn't think of that. Creeps.

Perverse incentive

[wanderfowl]

"Remember kids: If you find a bug in Paypal's system, you'll get paid more for selling it to the black hats."

So they are going to do the right thing right?

[Marrow]

And hold the money for him until he is 18? And then give it to him. That would satisfy their policies wouldnt it?

Too young for what ?

[Alain+Williams]

If he is too young to receive money for finding a bug, is he also too young to be criminally prosecuted for exploiting a bug ?

Re:They could have placed it in a college scholars

[mark-t]

While I can appreciate where your skepticism is coming from, you have to realize that Paypal freezing people's accounts is actually not a typical thing. For every person that this sort of thing happens to, there are many hundreds or thousands of others that it does not. Not that I'm saying that it happens at all is acceptable, but it's not statistically valid to assume that something which happens a tiny fraction of 1% of the time might be sufficient reason to believe that one should actually be actively *expecting* it to happen at any particular time.

Where's the story?

[pongo000]

FTFA:

PayPal requires that those reporting bugs have a verified PayPal account.

The kid didn't have one. Claim denied. What's the story here? (The age thing? That's irrelevant...)

Secret conditions

[Geoffrey.landis]

So, basically, they have secret conditions to their offer to pay for revealing of bugs, and they don't tell anybody what those secret conditions are.

So, uh, why would anybody expect to be paid? What other secret conditions do they have, which they can reveal at any time and say "oh, so sorry, but one of our terms is that we don't pay under (xx) conditions."

--I'm sorry, but we don't pay if you work for a competitor, or a company that we deem might be a competitor in the future
--I'm sorry, but we don't pay if it's a vulnerability that can be traced to a flaw in an Adobe product, or in a commercial database program we may use that was purchased from an commercial source.
--I'm sorry, but we don't pay if you're from a country that doesn't speak English.
--I'm sorry, but we don't pay if the vulnerability is discovered by somebody from states with names beginning with a vowel.
--I'm sorry, but we don't pay if the vulnerability is one that is only active on days of the week ending in "y".

scholarship?

[schlachter]

Give the fucking kid a scholarship to college...or a paid internship at Paypal. Is it not possible for anyone to do any serious work until they are 18 yrs? wtf

Re:scholarship?

[sleigher]

I just can't wait til the pissed off kid finds the next bug... Maybe he already did and only gave them the small one. I can hope... fuck paypal

Re:scholarship?

[funwithBSD]

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

Re:scholarship?

Actually, no, you can indeed enter into a contract with a minor. If you couldn't, I'd have my kid click through all those license agreements nobody reads.

The minor can be held to a contract that they signed if the parent knew of the contract and demonstrated acceptance, generally by not protesting it. At least that is (generally) the law in the US.

Re:scholarship?

[David_Hart]

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.

If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.

Re:scholarship?

[kencurry]

Seems like a BS excuse to me. Minors receive scholarship money; hell they even turn pro is some sports. When my daughter started college she was only 17, but she controlled her own accounts at the UC she was attending without needing me to sign for everything. Paypal could find a work around if they wanted to.

Re:scholarship?

[lgw]

It's not just the security aspect - presumably PayPal is also doing this whole exercise to better their reputation in general. How's that working out?

Re:scholarship?

[dissy]

Seriously, paypal done fucked up once more.

They did a great job teaching this kid "I could sell it to paypal for zero dollars, or I can auction it on this underground forum starting at $5000"

The only thing the kid even asked paypal for was a written statement of the accomplishment to put on his resume, and they won't even send that!
Even Microsoft lists him as a security researcher for the updates they have pushed fixing bugs this kid has found and reported to them!

The worst part is, paypal has also just taught these facts to everyone else who happens to know of an exploit in their system, or ever finds one in the future.

Smart move paypal *golf clap* smart move

Debtor cannot dictate form of payment

[Animats]

The rules say that "Payment is paid out through a verified PayPal account, once the bug is fixed." It's not required to have a PayPal account to win. That's just the payment mechanism eBay prefers. Once someone has won, PayPal owes them money. PayPal is a debtor here.

Debtors do not. in general, get to require that their creditor jump through hoops to get paid. Whether eBay is entitled to require payment via their own system is a legal issue which eBay would probably lose. Any collection lawyer or collection agency should be able to take this case and win.

On top of that, this is a "contest", and in the US, contests are regulated by the FTC's Contest Rule. Federal law limits what a contest operator can require after they've told someone they've "won".